Google Offers Cash For Security Patches
Written by Andrew Johnson   
Wednesday, 16 October 2013

Google is offering Patch Rewards of up to $3.133.70 to developers who contribute to improving the security of the open source software that underpin the functioning of the Internet.

 eleet

 

Google already has an established Vulnerability Reward Program covering Google-owned web properties that pays out sums ranging from $100 to $20,000 for reporting security bugs. Now the program is being extended to external software, but with a shift of focus, as explained by Michal Zalewski on the Google Online Security Blog:

We thought about simply kicking off an OSS bug-hunting program, but this approach can easily backfire. In addition to valid reports, bug bounties invite a significant volume of spurious traffic - enough to completely overwhelm a small community of volunteers. On top of this, fixing a problem often requires more effort than finding it.

Instead of just asking for bug reports, Google is now looking for:

proactive improvements that go beyond merely fixing a known security bug.

The examples it suggests are switching to a more secure allocator;  adding privilege separation; cleaning up a bunch of sketchy calls to strcat(), and enabling ASLR.

The program is to be rolled out gradually and initially it covers:

  • Core infrastructure network services: OpenSSH, BIND, ISC DHCP
  • Core infrastructure image parsers: libjpeg, libjpeg-turbo, libpng, giflib
  • Open-source foundations of Google Chrome: Chromium, Blink
  • Other high-impact libraries: OpenSSL, zlib
  • Security-critical, commonly used components of the Linux kernel (including KVM)

Depending on the feedback and submissions received it is hoped to extend it soon to:

  • Widely used web servers: Apache httpd, lighttpd, nginx
  • Popular SMTP services: Sendmail, Postfix, Exim
  • Toolchain security improvements for GCC, binutils, and llvm
  • Virtual private networking: OpenVPN

In order to participate in the scheme you should submit patches directly to the maintainers of the individual projects. Once your patch is accepted and merged into the repository, you then  send all the relevant details to security-patches@google.com. If it is judged to have a demonstrable, positive impact on the security of the project, you will qualify for a reward ranging from $500 to $3,133.7. The Program Rules give more details of the sorts of patches that will be considered for a reward.

If you are puzzled by the sum chosen for the top payout you probably don't already know leetspeak, the alphabet that uses combinations of ASCII characters to replace letters. In Leet 3 stands for e, 1 for l and 7 for t. The term leet (1337) is commonly used to mean "formidable prowess or accomplishment" particularly in hacking.

In its existing vvulnerability program Google repeatedly uses rewards of $1,337 and in this case $3,133.7 "eleet" is even better than "leet".


eleet

 

More Information

Vulnerability Reward Program

Patch Rewards Program Rules

Related Articles

Google Announces More Cash For Security Bugs

Bounty Hunter Awarded $100,000

Facebook Refuses Bounty, Internet Raises Over $10K

 

To be informed about new articles on I Programmer, install the I Programmer Toolbar, subscribe to the RSS feed, follow us on, Twitter, Facebook, Google+ or Linkedin,  or sign up for our weekly newsletter.

 

espbook

 

Comments




or email your comment to: comments@i-programmer.info

 

Banner


Random Gifts For Programmers
24/11/2024

Not really random. Not even pseudo random, more stuff that caught my attention and that I, for one, would like to be given. And, yes, if I'm not given them, I'd probably buy some for myself.



Gifts For Geeks 2024
22/11/2024

Are you ready for Thanksgiving, when overeating remorse and a surfeit of being thankful causes the unsettling thought that there are only four weeks till the Xmas break? So here is a mix of weird [ ... ]


More News

 

 

Last Updated ( Tuesday, 19 November 2013 )