Google announces new bug bounty platform

Google announced a new bug bounty platform as it celebrated the 10-year anniversary of its Vulnerability Rewards Program (VRP). The program led to a total of 11,055 bugs found, 2,022 rewarded researchers and nearly $30 million in total rewards. 

Jan Keller, technical program manager for Google’s VRP, said that in honor of the program, they are unveiling a new platform:  bughunters.google.com.

“This new site brings all of our VRPs (Google, Android, Abuse, Chrome and Play) closer together and provides a single intake form that makes it easier for bug hunters to submit issues,” Keller said. 

Keller added that the platform will have gamification features and offer more chances for interaction or competition. There will be per-country leaderboards and chances to acquire awards or badges for specific bugs. 

The company is also creating a more “aesthetically pleasing leaderboard” as a way to help those using their achievements in the VRP to find jobs. There will even be more chances for bug hunters to learn through the new Bug Hunter University.

“We know the value that knowledge sharing brings to our community. That’s why we want to make it easier for you to publish your bug reports. Swag will now be supported for special occasions (we heard you loud and clear!),” Keller wrote. 

The blog post notes that more people should take advantage of other VRP features like the ability to submit patches to open-source software for rewards and potential rewards for research papers on the security of open source. 

Some open-source software may even be eligible for subsidy, Keller explained. 

“When we launched our very first VRP, we had no idea how many valid vulnerabilities — if any — would be submitted on the first day. Everyone on the team put in their estimate, with predictions ranging from zero to 20,” Keller said. 

“In the end, we actually received more than 25 reports, taking all of us by surprise. Since its inception, the VRP program has not only grown significantly in terms of report volume, but the team of security engineers behind it has also expanded – including almost 20 bug hunters who reported vulnerabilities to us and ended up joining the Google VRP team.”

Keller went on to thank the Google bug hunter community for their work and urged them to give feedback about the new platform. 

Hank Schless, senior manager at Lookout, said his company has reported nearly 600 malicious apps found in the Play Store and commended Google for “essentially crowdsourcing their bug and vulnerability reporting.”

“Google has always taken a more open approach to its software than comparable companies. Android, for example, is built on open-source technology that enables more customization of the OS,” Schless said. 

“Relying on others to help report on issues is a key part of creating a secure customer experience that can continue to improve. This type of community-based knowledge only serves to make the world a more secure place.”