Google to Test Reward Program for Submitting Open Source Security Patches

rated by 0 users
This post has 0 Replies | 0 Followers

Top 10 Contributor
Posts 24,877
Points 1,116,495
Joined: Sep 2007
ForumsAdministrator
News Posted: Thu, Oct 10 2013 9:21 AM
You can make a fair bit of coin diving into code and rooting out vulnerabilities. In some instances, Microsoft will pay up to $100,000 for a single bug report, and Google's Vulnerability Reward Program routinely pays out thousands of dollars. It's a win-win situation, except when dealing with services that have only a small team of developers.

With that in mind, Google is trying something new. Going beyond vulnerability rewards, Google said it will start providing financial incentives for "down-to-earth, proactive improvements" that extend past simply fixing a known security bug for "key third-party software" that's key to the Internet's health. This could entail switching to a more secure allocator, adding privilege separation, and more.

Google

"We thought about simply kicking off an OSS bug-hunting program, but this approach can easily backfire. In addition to valid reports, bug bounties invite a significant volume of spurious traffic - enough to completely overwhelm a small community of volunteers. On top of this, fixing a problem often requires more effort than finding it," Google stated in a blog post.

In short, create a patch for an open source project and you could be rewarded anywhere from $500 to $3,133.70. Google has already selected a handful of projects that qualify, among them being core infrastructure network services (OpenSSH, BIND, ISC DHCP), and will soon extend the program to even more.
  • | Post Points: 5
Page 1 of 1 (1 items) | RSS