Google today extended its proactive Patch Reward Program to include even more open-source software (OSS). Among them is the Android Open Source Project, which the company previously did not reveal was going to be added.
Last month, Google started providing financial incentives (between $500 and $3,133.70) for proactive improvements to OSS that go beyond merely fixing a known security bug. Google said at the time it would be rolling out the program gradually, and hinted that more project types would be on the way.
Less than six weeks later, the company has added the following:
- All the open-source components of Android: Android Open Source Project.
- Widely used Web servers: Apache httpd, lighttpd, nginx.
- Popular mail delivery services: Sendmail, Postfix, Exim, Dovecot.
- Virtual private networking: OpenVPN.
- Network time: University of Delaware NTPD.
- Additional core libraries: Mozilla NSS, libxml2.
- Toolchain security improvements for GCC, binutils, and llvm.
These additions join the following five project types with which Google launched its program in October:
- Core infrastructure network services: OpenSSH, BIND, ISC DHCP.
- Core infrastructure image parsers: libjpeg, libjpeg-turbo, libpng, giflib.
- Open-source foundations of Google Chrome: Chromium, Blink.
- Other high-impact libraries: OpenSSL, zlib.
- Security-critical, commonly used components of the Linux kernel (including KVM).
Interestingly, Google at launch said it would eventually add support for widely used Web servers, popular SMTP services, toolchain security improvements, and virtual private networking. Android, network time, and additional core libraries were not mentioned explicitly last month, but were added today nevertheless, suggesting that the program is off to a solid start.
We noted at the time that Google is essentially expanding its Vulnerability Reward Program to the world of OSS in the hopes of improving the security of key third-party software critical to the health of the entire Internet. In fact, Google today once again reiterated its plan: “The goal is very simple: to recognize and reward proactive security improvements to third-party open-source projects that are vital to the health of the entire Internet.”
With the addition of Android, however, it looks like Google is already blurring what it means by “third-party.” The company also didn’t elaborate how exactly its mobile operating system is vital to the health of the Internet.
Top Image Credit: Johannes Eisele/Getty Images