Google Offers Cash For Security Patches
Written by Andrew Johnson   
Wednesday, 16 October 2013

Google is offering Patch Rewards of up to $3.133.70 to developers who contribute to improving the security of the open source software that underpin the functioning of the Internet.

 eleet

 

Google already has an established Vulnerability Reward Program covering Google-owned web properties that pays out sums ranging from $100 to $20,000 for reporting security bugs. Now the program is being extended to external software, but with a shift of focus, as explained by Michal Zalewski on the Google Online Security Blog:

We thought about simply kicking off an OSS bug-hunting program, but this approach can easily backfire. In addition to valid reports, bug bounties invite a significant volume of spurious traffic - enough to completely overwhelm a small community of volunteers. On top of this, fixing a problem often requires more effort than finding it.

Instead of just asking for bug reports, Google is now looking for:

proactive improvements that go beyond merely fixing a known security bug.

The examples it suggests are switching to a more secure allocator;  adding privilege separation; cleaning up a bunch of sketchy calls to strcat(), and enabling ASLR.

The program is to be rolled out gradually and initially it covers:

  • Core infrastructure network services: OpenSSH, BIND, ISC DHCP
  • Core infrastructure image parsers: libjpeg, libjpeg-turbo, libpng, giflib
  • Open-source foundations of Google Chrome: Chromium, Blink
  • Other high-impact libraries: OpenSSL, zlib
  • Security-critical, commonly used components of the Linux kernel (including KVM)

Depending on the feedback and submissions received it is hoped to extend it soon to:

  • Widely used web servers: Apache httpd, lighttpd, nginx
  • Popular SMTP services: Sendmail, Postfix, Exim
  • Toolchain security improvements for GCC, binutils, and llvm
  • Virtual private networking: OpenVPN

In order to participate in the scheme you should submit patches directly to the maintainers of the individual projects. Once your patch is accepted and merged into the repository, you then  send all the relevant details to security-patches@google.com. If it is judged to have a demonstrable, positive impact on the security of the project, you will qualify for a reward ranging from $500 to $3,133.7. The Program Rules give more details of the sorts of patches that will be considered for a reward.

If you are puzzled by the sum chosen for the top payout you probably don't already know leetspeak, the alphabet that uses combinations of ASCII characters to replace letters. In Leet 3 stands for e, 1 for l and 7 for t. The term leet (1337) is commonly used to mean "formidable prowess or accomplishment" particularly in hacking.

In its existing vvulnerability program Google repeatedly uses rewards of $1,337 and in this case $3,133.7 "eleet" is even better than "leet".


eleet

 

More Information

Vulnerability Reward Program

Patch Rewards Program Rules

Related Articles

Google Announces More Cash For Security Bugs

Bounty Hunter Awarded $100,000

Facebook Refuses Bounty, Internet Raises Over $10K

 

To be informed about new articles on I Programmer, install the I Programmer Toolbar, subscribe to the RSS feed, follow us on, Twitter, Facebook, Google+ or Linkedin,  or sign up for our weekly newsletter.

 

blog comments powered by Disqus

 

Banner


NFC For Man's Best Friend
01/04/2014

Barclalycard has unveiled plans for PayWag, a payment chip that is discretely embedded into a dog's collar to allow it make small purchases. Does it mean you can stay in bed while the dog collects, an [ ... ]



Brendan Eich New CEO Of Mozilla
25/03/2014

Brendan Eich, the inventor of JavaScript and one of the co-founders of Mozilla has been named as its new Chief Executive Officer.


More News

 

 

Last Updated ( Tuesday, 19 November 2013 )
 
 

   
RSS feed of news items only
I Programmer News
Copyright © 2014 i-programmer.info. All Rights Reserved.
Joomla! is Free Software released under the GNU/GPL License.