In January 2015, we launched a new experimental program called Vulnerability Research Grants to complement our long-running Vulnerability Reward Program, with the goal of rewarding security researchers that look into the security of Google products and services even in the case when no vulnerabilities are found.

The program is intended for our top performing, frequent vulnerability researchers as well as invited experts, and we hope it will allow us to reward the security researchers time and attention including the situations when they don't find any vulnerabilities. If, as a result of the grant, a vulnerability is found, then it will also be eligible for a reward under our Vulnerability Reward Program.

List of Vulnerability Research Grants

Details about offered grants will be made available in our Google group.

Newly launched services and features

This grant is for security research on newly launched features and products. (We will share a list of recently launched products once the grant is awarded.)

Aimed at rewarding researchers looking for new research targets, and curious on what was recently launched by Google. Note the Google product security team reviews new products and services before launch, but we want to support external research and scrutiny.

Grant amounts will vary from $500 USD up to $3,133.7

Sensitive product security research

This grant is for security research on an existing Google product considered particularly sensitive (services listed as "Highly Sensitive Services" in the "Reward amounts for security vulnerabilities" section of our VRP page.)

The Google security team works actively with products that are hosted in sensitive HTTP Origins, or that handle particularly sensitive data. However, since a small mistake could have grave consequences, we would like to reward additional efforts spent researching their security.

Grant amounts will vary from $1,337 USD up to $3,133.7

Security improvement efficacy research

This grant is for security research on a recently fixed vulnerability in a product or Google wide.

After every vulnerability report we receive, we perform a thorough root cause and variant analysis, as well as work with the team to prevent similar vulnerabilities from recurring in their product. If we identify the problem to be a common anti-pattern we work on fixing the issue Google-wide and preventing the issue for all future Google products. We welcome scrutiny on the efficacy of our efforts, and would like to recognize the time spent on this research.

Grant amounts will vary from $1,337 USD up to $3,133.7

Product and feature abuse research

This grant is for abuse research on Google features and products. To learn more about the Abuse Research Grant Program, check the announcement blog post. The list of eligible products will be shared once the grant is awarded.

Aimed at rewarding researchers looking for abuse related methodologies and sensitive product issues outside the scope of traditional security vulnerabilities. We want to support external research that helps Google stay ahead of abuse and deliver trusted and safe experiences to users.

Grant amounts will vary from $500 USD up to $3,133.7

Application Process

Existing VRP reporters can apply for a grant in their profile on the Bug Hunters site; the Vulnerability Reward Program panel will review the eligibility of the researcher and issue research grants. All selected applicants will receive an email with further information.

Once the applicant concludes the research, we ask that the researcher fill out an optional survey which we will use to learn about the vulnerability research done. We hope to use this information to understand the difficulty of finding vulnerabilities in different products.

The final grant amount is always chosen at the discretion of the panel. In particular, we may decide to issue higher grants for specific research proposals; award multiple grants to the same researcher and only award a single grant for multiple research applications.

We understand that some of you are not interested in money. We offer the option to donate your grant to an established charity. If you do so, we will double your donation - subject to our discretion. Any grants that are unclaimed after 12 months will be donated to a charity of our choosing.

Application Form

Existing VRP reporters should apply in their profile on the Bug Hunters site using the same Google account they have used in the past to report vulnerabilities.

Once the application is accepted, details of the grant will be sent by email.

Frequently Asked Questions

Q: How much time should I spend once I receive a reward?

A: The grant application includes both, the grant amount and the research it's intended for, which should give you a rough approximation.

Q: What if I don't find any vulnerabilities?

A: The goal of the grants is to support research looking for vulnerabilities, so we definitely expect that often no vulnerabilities will be found. Receiving a grant and not finding anything doesn't affect your chances of receiving a new one. The information in the survey of what you looked at and the results will be valuable for us.

Q: What is the purpose of the end-of-research survey?

A: We want to be able to understand how the program is used and how it affects the security researchers participating on it. We launched this program to reward security research (as opposed to the identification of specific vulnerabilities) , but understand there are implicit challenges on changing the structure in this way. As such, we want to make sure we gather feedback. In addition, we want to know what properties were looked at to better understand which properties have received a lot of external scrutiny.

Q: What if I don't receive the grant?

A: We expect to have a large number of grant applications at first, so please be patient. Also note that not all applications will be accepted. The panel will prioritize applications by researchers who have received awards in the existing VRP program.

Q: Why not simply increase the rewards?

A: We decided to try something different that was also aimed at rewarding researchers’ time in situations when they pentest services that are likely not to result in vulnerabilities, as we believe we also have benefit in knowing about products were finding bugs was hard.

Q: Can I blog about the results of my research?

A: The same rules for the VRP apply here. We would appreciate it if you told us privately about what you find in your research, as well as give us a chance to fix the bugs before making any vulnerabilities public.

Q: What impacts the grant amount and frequency of grant offers?

A: We determine the grant amount based on various criteria including the importance of the product or new feature, or the sensitivity of the service. The grant amount and the frequency of grants is not related to results of your previous grants or your VRP performance. It is the same for all security researchers participating in the grants program.

Legal points

We are unable to receive reports and/or issue rewards to individuals or entities that are on sanctions lists, or who are in territories subject to sanctions (e.g., Cuba, Iran, North Korea, Syria, Crimea, and the so-called Donetsk People's Republic and Luhansk People's Republic). Additionally, due to administrative difficulties, we no longer issue rewards to individuals or entities located in Russia.

You are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to enter depending upon your local law.

This is not a competition, but rather an experimental and discretionary grants program. You should understand that we can cancel the program at any time and the decision as to whether or not to pay a reward is entirely at our discretion.

Of course, your research and testing must not violate any law, or disrupt or compromise any data that is not your own.