IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Google launches open source bug bounty programme

Search giant's bug-hunting reward programme extended to third-party code.

Google is to roll out its Vulnerability Reward Program to include a number of its critical third-party software providers.

According to a blog post by Michal Zalewski of Google's security team, the aim of the programme is to "improve the security of key third-party software critical to the health of the entire internet".

The programme will initially include 12 open source projects divided into five areas: OpenSSH, BIND and ISC DHCP are included under core infrastructure network services; libjpeg, libjpeg-turbo, libpng and giflib are listed as core infrastructure image parsers; Chromium and Blink come under the open source foundations of Google Chrome; Open SSL and zlib are listed simply as other high impact libraries; and finally, security-critical, commonly used components of the Linux kernel form their own group.

The programme will also be rolled out at a later date to Apache httpd, Sendmail, Postfix, binutils and OpenVPN, amongst others. No exact timescale has been given for the inclusion of these projects, although Google claims it will be "soon".

Explaining how the programme came to be, Zalewski said: "We thought about simply kicking off an OSS bug-hunting program, but this approach can easily backfire. In addition to valid reports, bug bounties invite a significant volume of spurious traffic - enough to completely overwhelm a small community of volunteers. On top of this, fixing a problem often requires more effort than finding it.

"So we decided to try something new: provide financial incentives for down-to-earth, proactive improvements that go beyond merely fixing a known security bug."

Anyone wishing to participate should submit bug reports directly to the maintainers of the individual projects included in the scheme. Once the patch is accepted and merged into the repository, bug hunters should send all the relevant details to security-patches@google.com.

Those whose submissions are judged to have a demonstrable, positive impact on the security of the project in question will qualify for a reward ranging from $500 (313.18) up to a maximum $3,133.7 (1962.74).

Featured Resources

The state of Salesforce: Future of business

Three articles that look forward into the changing state of Salesforce and the future of business

Free Download

The mighty struggle to migrate SAP to the cloud may be over

A simplified and unified approach to delivering Enterprise Transformation in the cloud

Free Download

The business value of the transformative mainframe

Modernising on the mainframe

Free Download

The Total Economic Impact™ Of IBM FlashSystem

Cost savings and business benefits enabled by FlashSystem

Free Download

Recommended

Google urges Apple to embrace RCS as standard, ditch SMS for Android texts
Mobile

Google urges Apple to embrace RCS as standard, ditch SMS for Android texts

10 Aug 2022
Google reveals new office in Atlanta and $1 million in funding for local communities
Careers & training

Google reveals new office in Atlanta and $1 million in funding for local communities

28 Jul 2022
Hackers hiding malicious links in top Google search results, researchers warn
malware

Hackers hiding malicious links in top Google search results, researchers warn

21 Jul 2022
Gmail vs Outlook.com: Which one is better?
email providers

Gmail vs Outlook.com: Which one is better?

13 Jul 2022

Most Popular

Why convenience is the biggest threat to your security
Sponsored

Why convenience is the biggest threat to your security

8 Aug 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

29 Jul 2022
Cyber attack on software supplier causes "major outage" across the NHS
cyber attacks

Cyber attack on software supplier causes "major outage" across the NHS

8 Aug 2022