In an effort to bolster the security and overall functionality of third-party open source software, Google has announced the implementation of a bounty program to reward developers for making improvements to the offerings.
Modled after the company’s Vulnerability Reward Program, the patch bounty incentives seek to go beyond rewarding vulnerability disclosures by offering cash for the creation of solutions for bugs in “key third-party software critical to the health of the entire Internet.”
“We all benefit from the amazing volunteer work done by the open source community. That’s why we keep asking ourselves how to take the model pioneered with our Vulnerability Reward Program — and employ it to improve the security of key third-party software critical to the health of the entire Internet,” Google’s Michal Zalewski said in a blog post on the program.
“We thought about simply kicking off an OSS bug-hunting program, but this approach can easily backfire. In addition to valid reports, bug bounties invite a significant volume of spurious traffic — enough to completely overwhelm a small community of volunteers. On top of this, fixing a problem often requires more effort than finding it.”
Google said the program will start small, offering rewards ranging from $500 to $3,133.70, and be limited in scope to:
- Core infrastructure network services: OpenSSH, BIND, ISC DHCP
- Core infrastructure image parsers: libjpeg, libjpeg-turbo, libpng, giflib
- Open-source foundations of Google Chrome: Chromium, Blink
- Other high-impact libraries: OpenSSL, zlib
- Security-critical, commonly used components of the Linux kernel (including KVM)
The program, if successful, will later be expanded to inlcude:
- Widely used web servers: Apache httpd, lighttpd, nginx
- Popular SMTP services: Sendmail, Postfix, Exim
- Toolchain security improvements for GCC, binutils, and llvm
- Virtual private networking: OpenVPN
Read Moire Here…