Google Offers New Bounty Program For Securing Open-Source Software by Kelly Jackson Higgins.
From the post:
First there was the bug bounty, and now there’s the patch bounty: Google has launched a new program that pays researchers for security fixes to open-source software.
The new experimental program offers rewards from $500 to $3,133.70 for coming up with security improvements to key open-source software projects. It is geared to complement Google’s bug bounty program for Google Web applications and Chrome.
Google’s program initially will encompass network services OpenSSH, BIND, ISC DHCP; image parsers libjpeg, libjpeg-turbo, libpng, giflib; Chromium and Blink in Chrome; libraries for OpenSSh and zlib; and Linux kernel components, including KVM. Google plans to next include Web servers Apache httpd, lighttpd, ngix; SMTP services Sendmail, Postfix, Exim; and GCC, binutils, and llvm; and OpenVPN.
Industry concerns over security flaws in open-source code have escalated as more applications rely on these components. Michal Zalewski of the Google Security Team says the search engine giant initially considered a bug bounty program for open-source software, but decided to provide financial incentives for better locking down open-source code.
“We all benefit from the amazing volunteer work done by the open-source community. That’s why we keep asking ourselves how to take the model pioneered with our Vulnerability Reward Program — and employ it to improve the security of key third-party software critical to the health of the entire Internet,” Zalewski said in a blog post. “We thought about simply kicking off an OSS bug-hunting program, but this approach can easily backfire. In addition to valid reports, bug bounties invite a significant volume of spurious traffic — enough to completely overwhelm a small community of volunteers. On top of this, fixing a problem often requires more effort than finding it.”
So Google went with offering money for improving the security of open-source software “that goes beyond merely fixing a known security bug,” he blogged. “Whether you want to switch to a more secure allocator, to add privilege separation, to clean up a bunch of sketchy calls to strcat(), or even just to enable ASLR – we want to help.”
The official rules include this statement:
Reactive patches that merely address a single, previously discovered vulnerability will typically not be eligible for rewards.
I read that to mean that hardening the security of the covered projects may qualify for an award (must be accepted by the project first).
I wonder if Google will consider a bonus if the patch repairs an NSA induced security weakness?