Google Offers Cash For Security Patches
Written by Andrew Johnson   
Wednesday, 16 October 2013

Google is offering Patch Rewards of up to $3.133.70 to developers who contribute to improving the security of the open source software that underpin the functioning of the Internet.



Google already has an established Vulnerability Reward Program covering Google-owned web properties that pays out sums ranging from $100 to $20,000 for reporting security bugs. Now the program is being extended to external software, but with a shift of focus, as explained by Michal Zalewski on the Google Online Security Blog:

We thought about simply kicking off an OSS bug-hunting program, but this approach can easily backfire. In addition to valid reports, bug bounties invite a significant volume of spurious traffic - enough to completely overwhelm a small community of volunteers. On top of this, fixing a problem often requires more effort than finding it.

Instead of just asking for bug reports, Google is now looking for:

proactive improvements that go beyond merely fixing a known security bug.

The examples it suggests are switching to a more secure allocator;  adding privilege separation; cleaning up a bunch of sketchy calls to strcat(), and enabling ASLR.

The program is to be rolled out gradually and initially it covers:

  • Core infrastructure network services: OpenSSH, BIND, ISC DHCP
  • Core infrastructure image parsers: libjpeg, libjpeg-turbo, libpng, giflib
  • Open-source foundations of Google Chrome: Chromium, Blink
  • Other high-impact libraries: OpenSSL, zlib
  • Security-critical, commonly used components of the Linux kernel (including KVM)

Depending on the feedback and submissions received it is hoped to extend it soon to:

  • Widely used web servers: Apache httpd, lighttpd, nginx
  • Popular SMTP services: Sendmail, Postfix, Exim
  • Toolchain security improvements for GCC, binutils, and llvm
  • Virtual private networking: OpenVPN

In order to participate in the scheme you should submit patches directly to the maintainers of the individual projects. Once your patch is accepted and merged into the repository, you then  send all the relevant details to If it is judged to have a demonstrable, positive impact on the security of the project, you will qualify for a reward ranging from $500 to $3,133.7. The Program Rules give more details of the sorts of patches that will be considered for a reward.

If you are puzzled by the sum chosen for the top payout you probably don't already know leetspeak, the alphabet that uses combinations of ASCII characters to replace letters. In Leet 3 stands for e, 1 for l and 7 for t. The term leet (1337) is commonly used to mean "formidable prowess or accomplishment" particularly in hacking.

In its existing vvulnerability program Google repeatedly uses rewards of $1,337 and in this case $3,133.7 "eleet" is even better than "leet".



More Information

Vulnerability Reward Program

Patch Rewards Program Rules

Related Articles

Google Announces More Cash For Security Bugs

Bounty Hunter Awarded $100,000

Facebook Refuses Bounty, Internet Raises Over $10K


To be informed about new articles on I Programmer, install the I Programmer Toolbar, subscribe to the RSS feed, follow us on, Twitter, Facebook, Google+ or Linkedin,  or sign up for our weekly newsletter.


kotlin book



or email your comment to:



ScyllaDB 6 Adds Node Distribution Feature

ScyllaDB 6.0 has been released with two major features that change the way it works: a dynamic way to distribute data across nodes that significantly improves scalability; and support for strongly con [ ... ]

More Jetpack Compose Updates

The July release of Android Jetpack Compose has some improvements and it is faster, but is it what we want?

More News



Last Updated ( Tuesday, 19 November 2013 )