What do a 19-year-old researcher from Uruguay, a restaurant owner from Cluj, Romania and a Cambridge professor have in common? They’re all security researchers—a global community of professionals, academics, students and hobbyists who are essential to the safety of our products and the web as a whole. We’re grateful to be a part of this community and support their work in a bunch of ways, including the Vulnerability Rewards Program and our 2018 Privacy and Security academic research awards.

Vulnerability Reward Program: Year in Review

Whether it’s been written by a PhD or a hobbyist, software inevitably has bugs that make it behave in unexpected ways. The important thing is that bugs are identified and patched as quickly as possible. Back in 2010, we started the Vulnerability Reward Program to get help from the security research community in identifying and reporting bugs in Google apps and software. The goal of the program is simple: encourage researchers to report issues so that we can fix them quickly and keep users’ data secure. We also provide financial rewards for bug reporters, ranging from $100 to $200,000, based on the risk level of their discovery. 

Since 2015, we’ve taken a look back at what VRP researchers have done to help make Google users safer. Here’s 2018, by the numbers:

Thanks to researchers from all around the world, we’ve been able to patch all different types of bugs. Ezequiel Pereira, a 19-year-old researcher from Uruguay, uncovered a Remote Code Execution "RCE" bug that allowed him to gain remote access to our Google Cloud Platform console. Tomasz Bojarski from Poland discovered a bug related to Cross-site scripting (XSS), a type of security bug that can allow an attacker to change the behavior or appearance of a website, steal private data or perform actions on behalf of someone else. Tomasz was last year’s top bug hunter and used his reward money to open a lodge and restaurant. After Dzmitry Lukyanenka, a researcher from Minsk, Belarus, lost his job, he began bug-hunting full-time and became part of our VRP grants program, which provides financial support for prolific bug-hunters over time.

Security and Privacy Research awards

We’ve also worked closely with leading security and privacy experts in academia, collaborating when we can provide the technology needed to carry out specific research projects. Academic breakthroughs help improve data privacy and security for years to come. Last year, we announced the Security and Privacy research awards, a new effort to recognize academics who have made major contributions to the field. Awards winners are selected by a committee of senior security and privacy researchers at Google.

Today, we’re revealing the 2018 winners—and on their behalf, we’re making a financial contribution to their universities totaling more than half a million dollars:

• Alina Oprea, Northeastern University: Cloud Security
  
• Matthew Green, Johns Hopkins: Cryptography
  
• Thorsten Holz, Ruhr-Universität Bochum, Systems Security
  
• Alastair Beresford, Cambridge : Usable security and privacy, mobile security
  
• Carmela Troncoso, Ecole Polytechnique Usable de Lausanne: Privacy / Security ML
  
• Rick Wash, Michigan State University: Usable Privacy and Security
  
• Prateek Saxena, National University of Singapore: ML / Web security
  

Whether they’re finding bugs today or making breakthroughs that will protect the web years into the future, the security research community is making everyone’s information safer online. We’ll continue to do our part to support it.