Google broadens Patch Rewards Program
Posted on 19 November 2013.
Google has announced the expansion of its recently unveiled Patch Reward Program, which urges security researchers to submit patches for third-party open source software critical to the health of the entire Internet.

Initially the program included core infrastructure network services such as OpenSSH, BIND, ISC DHCP; image parsers such as libjpeg, libjpeg-turbo, libpng, giflib; open source foundations of Google Chrome (Chromium, Blink); high-impact libraries such as OpenSSL and zlib, and security-critical components of the Linux kernel (including the Kernel-based Virtual Machine).

Now the list of projects eligible for rewards also includes the Android Open Source Project, web servers such as Apache httpd, lighttpd, nginx; mail delivery services Sendmail, Postfix, Exim, and Dovecot; OpenVPN; University of Delaware NTPD; additional core libraries: Mozilla NSS, libxml2; and toolchain security improvements for GCC, binutils, and llvm.

As before, researchers are urged to submit code improvements and patches to the programs’ maintainers directly, and after the submission is included in the software’s code, it can be brought to Google’s attention and a reward panel will decide on the amount to award (usually between $500 to $3,133.7). Reactive patches that address a single, previously discovered vulnerability will not be eligible for rewards.

“We thought about simply kicking off an OSS bug-hunting program, but this approach can easily backfire. In addition to valid reports, bug bounties invite a significant volume of spurious traffic - enough to completely overwhelm a small community of volunteers. On top of this, fixing a problem often requires more effort than finding it,” explained Google security team member Michal Zalewski.

“So we decided to try something new: provide financial incentives for down-to-earth, proactive improvements that go beyond merely fixing a known security bug. Whether you want to switch to a more secure allocator, to add privilege separation, to clean up a bunch of sketchy calls to strcat(), or even just to enable ASLR - we want to help!”









Spotlight

Operation Pawn Storm: Varied targets and attack vectors, next-level spear-phishing tactics

Posted on 23 October 2014.  |  Targets of the spear phishing emails included staff at the Ministry of Defense in France, in the Vatican Embassy in Iraq, military officials from a number of countries, and more.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Fri, Oct 24th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //