Google is offering Patch Rewards of up to $3.133.70 to developers who contribute to improving the security of the open source software that underpin the functioning of the Internet.
Google already has an established Vulnerability Reward Program covering Google-owned web properties that pays out sums ranging from $100 to $20,000 for reporting security bugs. Now the program is being extended to external software, but with a shift of focus, as explained by Michal Zalewski on the Google Online Security Blog:
We thought about simply kicking off an OSS bug-hunting program, but this approach can easily backfire. In addition to valid reports, bug bounties invite a significant volume of spurious traffic - enough to completely overwhelm a small community of volunteers. On top of this, fixing a problem often requires more effort than finding it.
Instead of just asking for bug reports, Google is now looking for:
proactive improvements that go beyond merely fixing a known security bug.
The examples it suggests are switching to a more secure allocator; adding privilege separation; cleaning up a bunch of sketchy calls to strcat(), and enabling ASLR.
The program is to be rolled out gradually and initially it covers:
- Core infrastructure network services: OpenSSH, BIND, ISC DHCP
- Core infrastructure image parsers: libjpeg, libjpeg-turbo, libpng, giflib
- Open-source foundations of Google Chrome: Chromium, Blink
- Other high-impact libraries: OpenSSL, zlib
- Security-critical, commonly used components of the Linux kernel (including KVM)
Depending on the feedback and submissions received it is hoped to extend it soon to:
- Widely used web servers: Apache httpd, lighttpd, nginx
- Popular SMTP services: Sendmail, Postfix, Exim
- Toolchain security improvements for GCC, binutils, and llvm
- Virtual private networking: OpenVPN
In order to participate in the scheme you should submit patches directly to the maintainers of the individual projects. Once your patch is accepted and merged into the repository, you then send all the relevant details to email@example.com. If it is judged to have a demonstrable, positive impact on the security of the project, you will qualify for a reward ranging from $500 to $3,133.7. The Program Rules give more details of the sorts of patches that will be considered for a reward.
If you are puzzled by the sum chosen for the top payout you probably don't already know leetspeak, the alphabet that uses combinations of ASCII characters to replace letters. In Leet 3 stands for e, 1 for l and 7 for t. The term leet (1337) is commonly used to mean "formidable prowess or accomplishment" particularly in hacking.
In its existing vvulnerability program Google repeatedly uses rewards of $1,337 and in this case $3,133.7 "eleet" is even better than "leet".