Google Offers Cash For Security Patches
Written by Andrew Johnson   
Wednesday, 16 October 2013

Google is offering Patch Rewards of up to $3.133.70 to developers who contribute to improving the security of the open source software that underpin the functioning of the Internet.

 eleet

 

Google already has an established Vulnerability Reward Program covering Google-owned web properties that pays out sums ranging from $100 to $20,000 for reporting security bugs. Now the program is being extended to external software, but with a shift of focus, as explained by Michal Zalewski on the Google Online Security Blog:

We thought about simply kicking off an OSS bug-hunting program, but this approach can easily backfire. In addition to valid reports, bug bounties invite a significant volume of spurious traffic - enough to completely overwhelm a small community of volunteers. On top of this, fixing a problem often requires more effort than finding it.

Instead of just asking for bug reports, Google is now looking for:

proactive improvements that go beyond merely fixing a known security bug.

The examples it suggests are switching to a more secure allocator;  adding privilege separation; cleaning up a bunch of sketchy calls to strcat(), and enabling ASLR.

The program is to be rolled out gradually and initially it covers:

  • Core infrastructure network services: OpenSSH, BIND, ISC DHCP
  • Core infrastructure image parsers: libjpeg, libjpeg-turbo, libpng, giflib
  • Open-source foundations of Google Chrome: Chromium, Blink
  • Other high-impact libraries: OpenSSL, zlib
  • Security-critical, commonly used components of the Linux kernel (including KVM)

Depending on the feedback and submissions received it is hoped to extend it soon to:

  • Widely used web servers: Apache httpd, lighttpd, nginx
  • Popular SMTP services: Sendmail, Postfix, Exim
  • Toolchain security improvements for GCC, binutils, and llvm
  • Virtual private networking: OpenVPN

In order to participate in the scheme you should submit patches directly to the maintainers of the individual projects. Once your patch is accepted and merged into the repository, you then  send all the relevant details to security-patches@google.com. If it is judged to have a demonstrable, positive impact on the security of the project, you will qualify for a reward ranging from $500 to $3,133.7. The Program Rules give more details of the sorts of patches that will be considered for a reward.

If you are puzzled by the sum chosen for the top payout you probably don't already know leetspeak, the alphabet that uses combinations of ASCII characters to replace letters. In Leet 3 stands for e, 1 for l and 7 for t. The term leet (1337) is commonly used to mean "formidable prowess or accomplishment" particularly in hacking.

In its existing vvulnerability program Google repeatedly uses rewards of $1,337 and in this case $3,133.7 "eleet" is even better than "leet".


eleet

 

More Information

Vulnerability Reward Program

Patch Rewards Program Rules

Related Articles

Google Announces More Cash For Security Bugs

Bounty Hunter Awarded $100,000

Facebook Refuses Bounty, Internet Raises Over $10K

 

To be informed about new articles on I Programmer, install the I Programmer Toolbar, subscribe to the RSS feed, follow us on, Twitter, Facebook, Google+ or Linkedin,  or sign up for our weekly newsletter.

 

espbook

 

Comments




or email your comment to: comments@i-programmer.info

 

Banner


IBM Opensources AI Agents For GitHub Issues
14/11/2024

IBM is launching a new set of AI software engineering agents designed to autonomously resolve GitHub issues. The agents are being made available in an open-source licensing model.



DuckDB And Hydra Partner To Get DuckDB Into PostgreSQL
11/11/2024

The offspring of that partnership is pg_duckdb, an extension that embeds the DuckDB engine into the PostgreSQL database, allowing it to handle analytical workloads.


More News

 

 

Last Updated ( Tuesday, 19 November 2013 )