Google launches open source bug bounty programme

Search giant's bug-hunting reward programme extended to third-party code.

Google is to roll out its Vulnerability Reward Program to include a number of its critical third-party software providers.

According to a blog post by Michal Zalewski of Google's security team, the aim of the programme is to "improve the security of key third-party software critical to the health of the entire internet".

The programme will initially include 12 open source projects divided into five areas: OpenSSH, BIND and ISC DHCP are included under core infrastructure network services; libjpeg, libjpeg-turbo, libpng and giflib are listed as core infrastructure image parsers; Chromium and Blink come under the open source foundations of Google Chrome; Open SSL and zlib are listed simply as other high impact libraries; and finally, security-critical, commonly used components of the Linux kernel form their own group.

The programme will also be rolled out at a later date to Apache httpd, Sendmail, Postfix, binutils and OpenVPN, amongst others. No exact timescale has been given for the inclusion of these projects, although Google claims it will be "soon".

Explaining how the programme came to be, Zalewski said: "We thought about simply kicking off an OSS bug-hunting program, but this approach can easily backfire. In addition to valid reports, bug bounties invite a significant volume of spurious traffic - enough to completely overwhelm a small community of volunteers. On top of this, fixing a problem often requires more effort than finding it.

"So we decided to try something new: provide financial incentives for down-to-earth, proactive improvements that go beyond merely fixing a known security bug."

Anyone wishing to participate should submit bug reports directly to the maintainers of the individual projects included in the scheme. Once the patch is accepted and merged into the repository, bug hunters should send all the relevant details to security-patches@google.com.

Those whose submissions are judged to have a demonstrable, positive impact on the security of the project in question will qualify for a reward ranging from $500 (313.18) up to a maximum $3,133.7 (1962.74).

Featured Resources

The ultimate law enforcement agency guide to going mobile

Best practices for implementing a mobile device program

Free download

The business value of Red Hat OpenShift

Platform cost savings, ROI, and the challenges and opportunities of Red Hat OpenShift

Free download

Managing security and risk across the IT supply chain: A practical approach

Best practices for IT supply chain security

Free download

Digital remote monitoring and dispatch services’ impact on edge computing and data centres

Seven trends redefining remote monitoring and field service dispatch service requirements

Free download

Recommended

Iranian hacking group continues to target US citizens
hacking

Iranian hacking group continues to target US citizens

18 Oct 2021
Ennoconn and Google Cloud enter a strategic alliance
Cloud

Ennoconn and Google Cloud enter a strategic alliance

14 Oct 2021
Google Workspace adds Jira and AppSheet integrations
collaboration

Google Workspace adds Jira and AppSheet integrations

13 Oct 2021
Google Cloud reveals edge-focused Distributed Cloud portfolio
cloud computing

Google Cloud reveals edge-focused Distributed Cloud portfolio

13 Oct 2021

Most Popular

Best Linux distros 2021
operating systems

Best Linux distros 2021

11 Oct 2021
Windows 11 has problems with Oracle VirtualBox
Microsoft Windows

Windows 11 has problems with Oracle VirtualBox

5 Oct 2021
What is cyber warfare?
Security

What is cyber warfare?

15 Oct 2021