Google says bug bounties have made its products safer

The firm has paid out £260,000 in rewards to people who have found bugs in its web applications

Google has said that its programme of offering cash rewards to anyone who can find and report a genuine bug in one of its web applications has made users of its software safer.

In a Google blog, Adam Mein, technical program manager at the Google security team, said that the firm had looked at other bug reward programmes before launching its own.

"We benefited from looking at examples of other types of vulnerability reward programmes when designing our own. Similarly, in the months following our reward programme kick-off, we saw other companies developing reward programmes and starting to focus more on web properties."

He argued that these sorts of initiatives help to build communities among security researchers, with the result that users are safer when using web applications.

"Over time, these programmes can help companies build better relationships with the security research community. As the model replicates, the opportunity to improve the overall security of the web broadens."

The firm introduced the programme in November 2010, and since then has paid out £260,000 to more than 200 people for discovering 730 bugs.

Mein said that around half of the bugs whose detection it paid for were in software developed by firms Google acquired.

"Roughly half of the bugs that received a reward were discovered in software written by approximately 50 companies that Google acquired; the rest were distributed across applications developed by Google (several hundred new ones each year)."

He hailed the success of the rewards programme, saying that most of the people who now notified the company of bugs had never done so prior to its launch.

"The vast majority of our initial bug reporters had never filed bugs with us before we started offering monetary rewards."