Microsoft and Google appear to be the primary belligerents in an anti-arms race that pays security researchers to sniff out bugs on the Internet. Yesterday it was Google’s turn to proliferate the scope of its bug bounty program.
More robust, high paying, and far reaching bug bounties are good news for everyone – other than the governments and exploit brokers that would rather buy and sell vulnerabilities with little competition. Bug bounties are good for users because they make the Web, computers, and software safer, and they are also good for vendors, because it is cheaper to pay one-off researchers than it is to hire full-time bug-hunters.
Google is one of the vanguards of paying bounties to researchers who responsibly disclosed bugs in their products and services. In October though, the company announced its Patch Rewards Program, which offers payments to researcher that disclose bugs in open-source protocols and projects.
Initially the list of eligible services were core infrastructure network services like OpenSSH, BIND, and ISC DHCP; core infrastructure image parsers like libjpeg, libjpeg-turbo, libpng, and giflib; open-source foundations of Google Chrome like Chromium and Blink; other high-impact libraries like OpenSSL and zlib; and security-critical, commonly used components of the Linux kernel (including KVM).
Now Google is extending that list to include: all the open-source components of Android such as the Android Open Source Project; widely used web servers such as Apache httpd, lighttpd and nginx; popular mail delivery services including Sendmail, Postfix, Exim, and Dovecot; virtual private networking services like OpenVPN; network time, for example, the University of Delaware’s NTPD; more core libraries like Mozilla NSS and libxml2; and toolchain security improvements for GCC, binutils, and llvm.
Microsoft too has been improving its bounty program in recent months. First it announced that it would pay six-figure sums for particularly critical bugs. Then it added incident response teams and forensics experts who come across active attacks in the wild to the list of candidates eligible for these six-figure rewards. In addition to that, along with Facebook, Microsoft sponsors an Internet bug bounty, similar to Google’s, which rewards researchers for uncovering vulnerabilities in core Internet technologies.
