Google launches open source bug bounty programme
Search giant's bug-hunting reward programme extended to third-party code.
Google is to roll out its Vulnerability Reward Program to include a number of its critical third-party software providers.
According to a blog post by Michal Zalewski of Google's security team, the aim of the programme is to "improve the security of key third-party software critical to the health of the entire internet".
The programme will initially include 12 open source projects divided into five areas: OpenSSH, BIND and ISC DHCP are included under core infrastructure network services; libjpeg, libjpeg-turbo, libpng and giflib are listed as core infrastructure image parsers; Chromium and Blink come under the open source foundations of Google Chrome; Open SSL and zlib are listed simply as other high impact libraries; and finally, security-critical, commonly used components of the Linux kernel form their own group.
The programme will also be rolled out at a later date to Apache httpd, Sendmail, Postfix, binutils and OpenVPN, amongst others. No exact timescale has been given for the inclusion of these projects, although Google claims it will be "soon".
Explaining how the programme came to be, Zalewski said: "We thought about simply kicking off an OSS bug-hunting program, but this approach can easily backfire. In addition to valid reports, bug bounties invite a significant volume of spurious traffic - enough to completely overwhelm a small community of volunteers. On top of this, fixing a problem often requires more effort than finding it.
"So we decided to try something new: provide financial incentives for down-to-earth, proactive improvements that go beyond merely fixing a known security bug."
Anyone wishing to participate should submit bug reports directly to the maintainers of the individual projects included in the scheme. Once the patch is accepted and merged into the repository, bug hunters should send all the relevant details to email@example.com.
Those whose submissions are judged to have a demonstrable, positive impact on the security of the project in question will qualify for a reward ranging from $500 (313.18) up to a maximum $3,133.7 (1962.74).
The ultimate law enforcement agency guide to going mobile
Best practices for implementing a mobile device programFree download
The business value of Red Hat OpenShift
Platform cost savings, ROI, and the challenges and opportunities of Red Hat OpenShiftFree download
Managing security and risk across the IT supply chain: A practical approach
Best practices for IT supply chain securityFree download
Digital remote monitoring and dispatch services’ impact on edge computing and data centres
Seven trends redefining remote monitoring and field service dispatch service requirementsFree download