A little over 10 years ago, Google launched their Vulnerability Rewards Program (VRP), with the goal of establishing a channel for security security researchers to report bugs to Google and offer an efficient way for Google to thank them for helping make Google, users, and the Internet a safer place. Here is a snapshot of what the VRP has accomplished over the past 10 years: 

  • Total bugs rewarded: 11,055
  • Number of rewarded researchers: 2,022
  • Representing 84 different countries
  • Total rewards: $29,357,516

To celebrate the anniversary of VRP and ensure the next 10 years are just as successful and collaborative, Google announced the launch of its new platform, bughunters.google.com.

"Since its inception, the VRP program has not only grown significantly in terms of report volume, but the team of security engineers behind it has also expanded – including almost 20 bug hunters who reported vulnerabilities to us and ended up joining the Google VRP team," Google says. "That is why we are thrilled to bring you this new platform, continue to grow our community of bug hunters and support the skill development of up-and-coming vulnerability researchers."

The new site brings all VRPs (Google, Android, Abuse, Chrome and Play) closer together and provides a single intake form that makes it easier for bug hunters to submit issues. Other improvements include: 

  • More opportunities for interaction and a bit of healthy competition through gamification, per-country leaderboards, awards/badges for certain bugs and more.
  • A more functional and aesthetically pleasing leaderboard. Google says a lot of bug hunters are using achievements in the VRP to find jobs (Google is hiring!) and hopes this acts as a useful resource.
  • A stronger emphasis on learning: Bug hunters can improve their skills through the content available in Google's new Bug Hunter University
  • Streamlined publication process: this improvement will make it easier for bug hunters to publish bug reports.
  • Swag will now be supported for special occasions.

Hank Schless, Senior Manager, Security Solutions at Lookout, a San Francisco, Calif.-based endpoint-to-cloud security company, says, "Google has done a great job of essentially crowdsourcing their bug and vulnerability reporting, and with this new program they’ll be growing their community.  Google has always taken a more open approach to its software than comparable companies. Android, for example, is built on open-source technology that enables more customization of the OS. Relying on others to help report on issues is a key part of creating a secure customer experience that can continue to improve."

Lookout, for example, says Schless, has contributed heavily to these efforts by "reporting almost 600 malicious apps to Google that were found on the Play Store since 2019. Other industry-leading companies contribute in similar ways to Lookout for different products that Google offers. This type of community-based knowledge only serves to make the world a more secure place."

"Open source software is particularly prone to the Tragedy of the Commons, where most consumers of a shared resource assume that someone else will undertake the responsibility of maintaining that resource," explains Sounil Yu, Chief Information Security Officer at JupiterOne, a Morrisville, North Carolina-based provider of cyber asset management and governance solutions. "Fortunately, organizations such as the Open Source Security Foundation (for which Google is also a founding member) are working to ensure that critical open source software is being properly maintained. Google's Vulnerability Reward Program takes it to the next level by incentivizing many others to join in protecting this valuable shared resource."

Cyber defense stands to benefit from more and better crowdsourcing instincts, adds Hitesh Sheth, President and CEO at Vectra, a San Jose, Calif.-based AI cybersecurity company. "Some believe information sharing heightens risk, if only the erosion of some competitive edge. But in truth, if all white hats work in isolation, the all-too-frequent results are duplication of effort, missed signals, and unwanted outcomes. Another community of strong actors dedicated to better security through information sharing is a positive step. Remember that black hats collude against us this way each and every hour of the day."