Google pays up front for bug hunting

Google has rejigged its bug bounty scheme to reward security researchers up front for examining its products, even if they fail to uncover any vulnerabilities.

The company announced the changes to its existing vulnerability research program in a blog post on Friday.

Security engineer Eduardo Vela Nava said Google's existing bug hunting program alongside internal security efforts had been so successful that finding new vulnerabilities had become increasingly difficult.

Google's aim is to encourage researchers to pursue investigative work into the security of its products and services - even if no vulnerabilities are found as a result.

The maximum grant on offer is US$3133.70 - the numbers form the slang term "eleet" or elite - available in three different categories: newly launched services and features, sensitive product security research, and security improvement efficacy research.

Grant-funded research remains eligible for existing after-the-fact bug hunting rewards as well.

From this year, official Google apps that are available through the Google Play and Apple iTunes app stores will also be covered by the company's vulnerability research program, Vela Nava said.

Last year, Google rewarded over 200 researchers with a combined US$1.5 million (A$1.95 million) for finding more than 500 bugs.

A total of US$4 million has been paid out since the security rewards program started in 2010, Google said.