Google Offers Money To Open Source Patch Developers

Google will offer awards ranging from $500 to $3,133.7 for improvements to the security of certain open source projects.

The new initiative does not issue ‘bug bounties’, instead rewarding developers for fully functional patches that have been integrated into the shipping version of the software.

“We decided to try something new: provide financial incentives for down-to-earth, proactive improvements that go beyond merely fixing a known security bug,” explained Michal Zalewski from Google Security Team.

1337 apply here

Since 2010, Google has been offering up to $20,000 for the discovery of flaws in its web applications as part of the Vulnerability Reward Programme. This week, the company has made a decision to extend this model further, and reward developers who improve the security of software “critical to the health of the entire Internet”.

The list of open source projects that are featured in the new programme includes infrastructure network services like OpenSSH and BIND, image parsers like libjpeg and libpng, OpenSSL and zlib libraries, along with commonly used components of the Linux kernel, on which Android is built.

Some readers will notice that a lot of these services are critical to Google’s own work. The programme also encourages development of patches for the Chromium browser and Blink engine, which serve as the foundation of the Chrome browser and the Chrome OS.

Examples of improvements that will qualify for an award include memory allocator hardening, systematic fixes for various types of race conditions and elimination of error-prone design patterns or library calls. Patches which address a previously discovered vulnerability will not be considered.

“Whether you want to switch to a more secure allocator, to add privilege separation, to clean up a bunch of sketchy calls to strcat(), or even just to enable ASLR – we want to help,” said Zalewski.

Google may choose to grant higher rewards for unusually clever or complex submissions.

The company has promised to eventually extend the programme to include the Apache server, several popular SMTP services, OpenVPN and even the GNU Compiler Collection.

To participate, developers have to submit their patches directly to the maintainers of individual projects. If the improvements are merged into the depository and demonstrate “significant and proactive impact on the security of one of the in-scope projects”, the information can be forwarded to Google in exchange for a paycheck.

Earlier this month, Yahoo was criticised for handing out a £12.50 voucher to thank researchers who uncovered cross-site scripting flaws on the ecom.yahoo.com and adserver.yahoo.com websites. The company has since apologised, increased its bug bounties and sent the researchers a higher award.

How well do you know open source software? Take our quiz!