Google launches open source bug bounty programme

Google is to roll out its Vulnerability Reward Program to include a number of its critical third-party software providers.

According to a blog post by Michal Zalewski of Google's security team, the aim of the programme is to "improve the security of key third-party software critical to the health of the entire internet".

The programme will initially include 12 open source projects divided into five areas: OpenSSH, BIND and ISC DHCP are included under core infrastructure network services; libjpeg, libjpeg-turbo, libpng and giflib are listed as core infrastructure image parsers; Chromium and Blink come under the open source foundations of Google Chrome; Open SSL and zlib are listed simply as other high impact libraries; and finally, security-critical, commonly used components of the Linux kernel form their own group.

The programme will also be rolled out at a later date to Apache httpd, Sendmail, Postfix, binutils and OpenVPN, amongst others. No exact timescale has been given for the inclusion of these projects, although Google claims it will be "soon".

Explaining how the programme came to be, Zalewski said: "We thought about simply kicking off an OSS bug-hunting program, but this approach can easily backfire. In addition to valid reports, bug bounties invite a significant volume of spurious traffic - enough to completely overwhelm a small community of volunteers. On top of this, fixing a problem often requires more effort than finding it.

"So we decided to try something new: provide financial incentives for down-to-earth, proactive improvements that go beyond merely fixing a known security bug."

Anyone wishing to participate should submit bug reports directly to the maintainers of the individual projects included in the scheme. Once the patch is accepted and merged into the repository, bug hunters should send all the relevant details to security-patches@google.com.

Those whose submissions are judged to have a demonstrable, positive impact on the security of the project in question will qualify for a reward ranging from $500 (313.18) up to a maximum $3,133.7 (1962.74).

Jane McCallion is ITPro's deputy editor, specializing in cloud computing, cyber security, data centers and enterprise IT infrastructure. Before becoming Deputy Editor, she held the role of Features Editor, managing a pool of freelance and internal writers, while continuing to specialise in enterprise IT infrastructure, and business strategy.

Prior to joining ITPro, Jane was a freelance business journalist writing as both Jane McCallion and Jane Bordenave for titles such as European CEO, World Finance, and Business Excellence Magazine.