Vulnerability Research Grant Rules
In January 2015 we launched a new experimental program called Vulnerability Research Grants to complement our long-running Vulnerability Reward Program, with the goal of rewarding security researchers that look into the security of Google products and services even in the case when no vulnerabilities are found.
The program is intended for our top performing, frequent vulnerability researchers as well as invited experts, and we hope it will allow us to reward the security researchers time and attention including the situations when they don't find any vulnerabilities. If, as a result of the grant, a vulnerability is found, then it will also be eligible for a reward under our Vulnerability Reward Program.
List of Vulnerability Research Grants
Newly launched services and features
This grant is for security research on newly launched features and products. (We will share a list of recently launched products once the grant is awarded.)
Aimed at rewarding researchers looking for new research targets, and curious on what was recently launched by Google. Note the Google product security team reviews new products and services before launch, but we want to support external research and scrutiny.
Grant amounts will vary from $500 USD up to $3,133.7
Sensitive product security research
This grant is for security research on an existing Google product considered particularly sensitive (Services listed as Highly Sensitive Services in our VRP page.)
The Google security team works actively with products that are hosted in sensitive HTTP Origins, or that handle particularly sensitive data. However, since a small mistake could have grave consequences, we would like to reward additional efforts spent researching their security.
Grant amounts will vary from $1,337 USD up to $3,133.7
Security improvement efficacy research
This grant is for security research on a recently fixed vulnerability in a product or Google wide (Details of these grants will be made available in our Google+ community.)
After every vulnerability report we receive, we perform a thorough root cause and variant analysis, as well as work with the team to prevent similar vulnerabilities from recurring in their product. If we identify the problem to be a common anti-pattern we work on fixing the issue Google-wide and preventing the issue for all future Google products. We welcome scrutiny on the efficacy of our efforts, and would like to recognize the time spent on this research.
Grant amounts will vary from $1,337 USD up to $3,133.7
Existing VRP reporters can apply for a grant by filling out the form below which the vulnerability reward program panel will review and issue research grants. All selected applicants will receive an email with further information.
Once the applicant concludes the research, we ask that the researcher fill out an optional survey which we will use to learn about the vulnerability research done. We hope to use this information to understand the difficulty of finding vulnerabilities in different products.
The final grant amount is always chosen at the discretion of the panel. In particular, we may decide to issue higher grants for specific research proposals; award multiple grants to the same researcher and only award a single grant for multiple research applications.
We understand that some of you are not interested in money. We offer the option to donate your grant to an established charity. If you do so, we will double your donation - subject to our discretion. Any grants that are unclaimed after 12 months will be donated to a charity of our choosing.
Existing VRP reporters should apply using the same Google account / email they have used in the past to report vulnerabilities here.
Once the application is accepted, details of the grant will be sent by email.
Frequently Asked Questions
Q: How much time should I spend once I receive a reward?
A: The grant application includes both, the grant amount and the research it's intended for, which should give you a rough approximation.
Q: What if I don't find any vulnerabilities?
A: The goal of the grants is to support research looking for vulnerabilities, so we definitely expect that often no vulnerabilities will be found. Receiving a grant and not finding anything doesn't affect your chances of receiving a new one. The information in the survey of what you looked at and the results will be valuable for us.
Q: What is the purpose of the end-of-research survey?
A: We want to be able to understand how the program is used and how it affects the security researchers participating on it. We launched this program to reward security research (as opposed to the identification of specific vulnerabilities) , but understand there are implicit challenges on changing the structure in this way. As such, we want to make sure we gather feedback. In addition, we want to know what properties were looked at to better understand which properties have received a lot of external scrutiny.
Q: What if I don't receive the grant?
A: We expect to have a large number of grant applications at first, so please be patient. Also note that not all applications will be accepted. The panel will prioritize applications by researchers who have received awards in the existing VRP program.
Q: Why not simply increase the rewards?
A: We decided to try something different that was also aimed at rewarding researchers’ time in situations when they pentest services that are likely not to result in vulnerabilities, as we believe we also have benefit in knowing about products were finding bugs was hard.
Q: Can I blog about the results of my research?
A: The same rules for the VRP apply here. We would appreciate it if you told us privately about what you find in your research, as well as give us a chance to fix the bugs before making any vulnerabilities public.
We are unable to issue grants to individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists. You are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to enter depending upon your local law.
This is not a competition, but rather an experimental and discretionary grants program. You should understand that we can cancel the program at any time and the decision as to whether or not to pay a reward is entirely at our discretion.
Of course, your research and testing must not violate any law, or disrupt or compromise any data that is not your own.