Who better to test a bank vault security system than a would-be thief? The engineers who designed and installed the safe have worked the project for a period of time and are unable to see flaws, simply because it's been their work. A combination of a fresh perspective and suitable skillset may be all that is required to help find flaws. The trick is in rewarding the safe crackers enough so that they will consider sticking around to find more flaws in other safes and so that they won't try to run off with the loot. And this is something that Google (and other software or technology companies) have been organising for some time now: a bug bounty hunt, rewarding hackers for discovering vulnerabilities.
Google have recently disclosed some of the successes of their "Rewards Programs," the word they used for the bug bounty hunt. They've paid out more than $4 million since it was started in 2010. In 2014, they paid out $1.5 million across 500 bugs. The largest single cash reward was $150,000, although better yet for this individual is that he joined the business for an internship. Google have also disclosed that more than half of reported bugs in Chrome were recorded for the developer or beta versions, which meant they were able to fix issues before they arrived at the main user population.
We've already seen Google's involvement with online security, such as their Project Zero bug hunting scheme whereby they notify other software companies about bugs in their code and give them a ninety day deadline before they tell the world. They're also improving their existing bug bounty hunt schemes two with two announced improvements and the first recognizes that as their existing projects make it harder to find bugs, they do not want to witness fewer people looking for them. Google have come up with a potential solution to this: Vulnerability Research Grants. This means that they will pay researchers (Google's quaint way of saying "hackers" as it doesn't have such negative connotations!) cash in advance of finding a bug. Google will publish different types of vulnerabilities, products and services that they are looking for bugs and will award grants up front, with no strings, across various tiers up to a maximum of $3,133.70. Researches working under a grant will still be able to be rewarded for other bugs that they find in the usual way. Second, Google are opening up all mobile applications officially developed by Google on both the Google Play Store and Apple iTunes Store. This covers everything from the infrastructure to the applications themselves, for example the built-in anti-virus software that's included in the Android Play Store is a part of this scheme.
Details are still a little thin on the ground at this stage, but Google's head of product security, Matt Moore, will be announcing more information on the new initiatives soon. It's good news that Google is broadening the scope of code covered by the rewards process and that they recognize that the mobile side of things is vitally important too. What do you think of the new developments? Or are you too busy signing up to be a Google vulnerability researcher? Let us know in the comments below.