14 DAY TRIAL // Google's bug bounty program, through which the company is rewarding researchers who spot security vulnerabilities in its software and sites, is one of the biggest and most successful to date. But the company is now going beyond bugs and beyond its own products as well with a new product which aims to reward security contributions to important open source programs.
"We thought about simply kicking off an OSS bug-hunting program, but this approach can easily backfire. In addition to valid reports, bug bounties invite a significant volume of spurious traffic - enough to completely overwhelm a small community of volunteers. On top of this, fixing a problem often requires more effort than finding it," Google explained.
Instead, Google decided not to pay for bugs but rather to reward actual patches that not only fix problems, though those are eligible as well, but that also improve the security of the software they're for.
"Whether you want to switch to a more secure allocator, to add privilege separation, to clean up a bunch of sketchy calls to strcat(), or even just to enable ASLR - we want to help," the company added.
For now, the program will only cover some core open source software, namely core infrastructure network services: OpenSSH, BIND, ISC DHCP; core infrastructure image parsers: libjpeg, libjpeg-turbo, libpng, giflib; open-source foundations of Google Chrome: Chromium, Blink; other high-impact libraries: OpenSSL, zlib; security-critical, commonly used components of the Linux kernel (including KVM).
After an initial phase, Google plans to expand the program to more tools including all the popular web servers – Apache httpd, lighttpd, nginx; email tools Sendmail, Postfix, Exim; developer toolchain components like GCC, binutils, and llvm and OpenVPN.
To participate in the new program, just do as you would normally do, submit a patch to one of the projects included and, once it's accepted and merged into the main code source, you can contact Google at [email protected] with all the details.
Meaningful contributions will be rewarded with $500 to $3,133.7 (€370 to €2,306). The company may pay more for special contributions and participants may decide to give their award to charity, in which case Google will match the sum.