Feeds

Google to award bounties for fixing non-Google open source code

Patch pillars of the internet, earn valuable crumbs

  • alert
  • submit to reddit

SANS - Survey on application security programs

Google is expanding its bug bounty program to include awards for patches that make material security improvements to open source software - even when the software isn't directly maintained by Google itself.

The Chocolate Factory has been rewarding developers for security fixes to its own software since 2010, when it kicked off its bounty program for the Chrome web browser. Now the company says it will also shell out cash to developers who submit fixes to select non-Google software, too.

To qualify for the program, developers must produce "down-to-earth, proactive improvements that go beyond merely fixing a known security bug," according to a blog post by Google security team member Michal Zalewski on Wednesday.

Initially, the bounty program applies only to a select group of open source projects, such as the OpenSSL and OpenSSH secure communications libraries, the BIND DNS software, and security-critical components of the Linux kernel, to name a few.

After an initial trial period, it will be expanded to include even more projects, including such popular packages as the Apache webserver, the Sendmail, Postfix, and Exim email servers, and the Gnu software development tools.

Zalewski said Google chose this selective approach because it believes it will be more productive than offering bug bounties for just any old open source software.

"In addition to valid reports, bug bounties invite a significant volume of spurious traffic – enough to completely overwhelm a small community of volunteers," he wrote. "On top of this, fixing a problem often requires more effort than finding it."

Aside from ponying up the cash, Google's approach will be mostly hands-off. Developers don't need to clear their fixes with Mountain View before submitting their patches. Instead, they should submit them directly to the maintainers of the projects in question. Once the patches are accepted and the updated code has shipped, they can then email security-patches@google.com with a description of what they did.

"If we think that the submission has a demonstrable, positive impact on the security of the project, you will qualify for a reward ranging from $500 to $3,133.7," Zalewski writes.

In fact, the online ad giant may choose to cough up even more in cases of "unusually clever or complex submissions" – the actual amount of each award being left to Google's sole discretion.

Then again, some developers may choose to contribute security patches strictly out of a sense of duty. In these cases, Google says they can opt to donate their bounty awards to charity and it will match their donations. Bounties that haven't been claimed after 12 months will be donated to a charity of Google's choice. ®

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
Arts and crafts store Michaels says 3 million credit cards exposed in breach
Meanwhile, Target investigators prepare for long process in nabbing hackers
Canadian taxman says hundreds pierced by Heartbleed SSL skewer
900 social insurance numbers nicked, says revenue watchman
prev story

Whitepapers

SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.