The Inquirer-Home

Google will pay open source vulnerability finders

Up to $3,133.7 in prizes
Thu Oct 10 2013, 09:41
bug malware virus security threat breach

SOFTWARE DEVELOPER Google is going to start paying the security community for discovering open source software vulnerabilities and will pay bug bounty rewards up to $3,133.7.

Google announced the move in a blog post, saying that it has decided to offer bug bounties voluntarily to what is a voluntary community.

Michal Zalewski of Google's security team said that the reward system will be rolled out gradually, and will grow depending on the response the firm receives.

There will be payment scales and the highest reward amount will be $3,133.7. The least amount paid will be $500.

"We thought about simply kicking off an [open source software] bug-hunting program, but this approach can easily backfire. In addition to valid reports, bug bounties invite a significant volume of spurious traffic - enough to completely overwhelm a small community of volunteers. On top of this, fixing a problem often requires more effort than finding it," he said.

"So we decided to try something new: provide financial incentives for down-to-earth, proactive improvements that go beyond merely fixing a known security bug. Whether you want to switch to a more secure allocator, to add privilege separation, to clean up a bunch of sketchy calls to strcat(), or even just to enable ASLR - we want to help."

Five types of disclosure will be accepted immediately. These include those that affect "Core infrastructure network services" like OpenSSH, BIND, and ISC DHCP, and "high impact" libraries like OpenSSL.

Upcoming and depending on the success of the project will be payouts for bug fixes to the web servers Apache httpd, lighttpd, and nginx, and the SMTP services Sendmail, Postfix, Exim and Open VPN. µ

 

Share this:

blog comments powered by Disqus
Advertisement
Subscribe to INQ newsletters

Sign up for INQbot – a weekly roundup of the best from the INQ

Advertisement
INQ Poll

Dead electronic devices to be banned on US-bound flights

Will the new rules banning uncharged devices be effective?