SOFTWARE DEVELOPER Google is going to start paying the security community for discovering open source software vulnerabilities and will pay bug bounty rewards up to $3,133.7.
Google announced the move in a blog post, saying that it has decided to offer bug bounties voluntarily to what is a voluntary community.
Michal Zalewski of Google's security team said that the reward system will be rolled out gradually, and will grow depending on the response the firm receives.
There will be payment scales and the highest reward amount will be $3,133.7. The least amount paid will be $500.
"We thought about simply kicking off an [open source software] bug-hunting program, but this approach can easily backfire. In addition to valid reports, bug bounties invite a significant volume of spurious traffic - enough to completely overwhelm a small community of volunteers. On top of this, fixing a problem often requires more effort than finding it," he said.
"So we decided to try something new: provide financial incentives for down-to-earth, proactive improvements that go beyond merely fixing a known security bug. Whether you want to switch to a more secure allocator, to add privilege separation, to clean up a bunch of sketchy calls to strcat(), or even just to enable ASLR - we want to help."
Five types of disclosure will be accepted immediately. These include those that affect "Core infrastructure network services" like OpenSSH, BIND, and ISC DHCP, and "high impact" libraries like OpenSSL.
Upcoming and depending on the success of the project will be payouts for bug fixes to the web servers Apache httpd, lighttpd, and nginx, and the SMTP services Sendmail, Postfix, Exim and Open VPN. µ
Sign up for INQbot – a weekly roundup of the best from the INQ