Google Rewards For Open Source Security Patches, $500 to $3133.70 (Sleet!)

The good days are back for the developers and security analysts as Google has started its promotion to help out security analysts who finds a bug and fixes the same. The bounty is set at a range of $500 to $3133.70 for the fixes found for all Opensource programs like OpenSSL, OpenSSH, Bind and several other softwares that are directly connected to the OS security.

The program announced Wednesday expands on Google's current bug-bounty program, which pays from $500 to $3,133.70 to people who privately report bugs found in the company's software and Web properties. Security researchers inside the company considered modifying the program to reward bug reports in open-source software, but eventually decided against that approach. The reason: bug bounty programs often invite a flood of reports of varying quality that can overwhelm the finite resources of open-source developers. What's more, it's frequently much harder to patch a vulnerability than merely to find it.

"So we decided to try something new: provide financial incentives for down-to-earth, proactive improvements that go beyond merely fixing a known security bug," Michael Zalewski, a member of the Google security team, wrote in a blog post. "Whether you want to switch to a more secure allocator, to add privilege separation, to clean up a bunch of sketchy calls to strcat(), or even just enable ASLR—we want to help."

ADVERTISEMENT

"We intend to roll out the program gradually, based on the quality of the received submissions and the feedback from the developer community. For the initial run, we decided to limit the scope to the following projects:

Core infrastructure network services: OpenSSH, BIND, ISC DHCP
Core infrastructure image parsers: libjpeg, libjpeg-turbo, libpng, giflib
Open-source foundations of Google Chrome: Chromium, Blink
Other high-impact libraries: OpenSSL, zlib
Security-critical, commonly used components of the Linux kernel (including KVM) "

says the article here.

Google has plans of extending the program to further by including software's like:

Widely used web servers: Apache httpd, lighttpd, nginx
Popular SMTP services: Sendmail, Postfix, Exim
Toolchain security improvements for GCC, binutils, and llvm
Virtual private networking: OpenVPN

The program is sure to have a wide scale impact and also help in the overall development of Linux community.

So once you have found a vulnerability, reported it, released your own version of patch for the same. You will have to submit it to the maintainers of the software, wait for it to be approved and added to main repository. Once this is done you can contact google at google-patches@google.com with all relevant details to get qualified for the reward program.

"If we think that the submission has a demonstrable, positive impact on the security of the project, you will qualify for a reward ranging from $500 to $3,133.7. " says Michal Zalewski, Google Security Team.

You can find the detailed list of rules here

Source: India Violet
Read More

Unknown

- Unknown Updated at: Thursday, October 10, 2013