Google begins offering financial rewards for proactive security patches made to select open-source projects

Google begins offering financial rewards for proactive security patches made to select open-source projects ...

Google today started to provide financial incentives for proactive improvements to open-source software (OSS) that go beyond merely fixing a known security bug. Awards currently range between $500 and $3,133.70.

Google says it will be rolling out the program gradually, the speed of which will be determined on the quality of the received submissions and feedback from the developer community. The initial run is limited in scope to the following projects:

  • Core infrastructure network services: OpenSSH, BIND, ISC DHCP.
  • Core infrastructure image parsers: libjpeg, libjpeg-turbo, libpng, giflib.
  • Open-source foundations of Google Chrome: Chromium, Blink.
  • Other high-impact libraries: OpenSSL, zlib.
  • Security-critical, commonly used components of the Linux kernel (including KVM).

Soon (it wouldn’t say when exactly), the company will extend the program to:

  • Widely used web servers: Apache httpd, lighttpd, nginx.
  • Popular SMTP services: Sendmail, Postfix, Exim.
  • Toolchain security improvements for GCC, binutils, and llvm.
  • Virtual private networking: OpenVPN.

In other words, Google is trying to bring its Vulnerability Reward Program to the world of OSS in the hopes of improving the security of key third-party software critical to the health of the entire Internet. That’s a great goal, if we may say so ourselves.

Google says it toyed with the idea of just launching an OSS bug-hunting program, but it said the approach could “easily backfire.” The company worried that broad bug bounties would lead to a significant volume of spurious traffic that might overwhelm a small community of volunteers, not to mention finding bugs is only half the work (Google wants bug hunters to actually fix the issues they find).

If you’re interested, check out the rules, submit your patch directly to the maintainers of the individual projects, and then once it is accepted and merged into the repository, send all the relevant details to [email protected]

See also – Three years in, Google has paid researchers over $2 million in security rewards and fixed more than 2,000 bugs and Google’s CIO explains the challenge of keeping data secure: ‘We spend a lot of time worrying about it’

Top Image Credit: Johannes Eisele/Getty Images

Read next: Is Twitter's IPO set for November 15, 2013? Financial data analyst PrivCo seems to think so