Google, one of the first companies to offer a significant bug bounty program, is extending its rewards to researchers and developers who contribute patches to a variety of open source projects and have an effect on the security of the project.
The new rewards will range from $500 to $3,133.70, and are the result of the company looking for new ways to improve the security of its core offerings, such as Chrome OS and the Chrome browser. Google has had a vulnerability reward program for those offerings for several years now, and they have attracted a large volume of submissions. The release notes for new versions of Chrome, for example, often credit a litany of external researchers for submitting bugs. The rewards often are in the $1,000 to $3,000 range, but can skyrocket into the tens of thousands for especially serious vulnerabilities.
But the extension of the program is an indication of how difficult it can be to secure applications, especially open source projects that rely on code from a variety of sources. So Google will now pay developers rewards for security related improvements to things such as OpenSSL, OpenSSH and BIND.
“Whether you want to switch to a more secure allocator, to add privilege separation, to clean up a bunch of sketchy calls to strcat(), or even just to enable ASLR – we want to help!” Michal Zalewski of the Google security team said in a blog post.
“We intend to roll out the program gradually, based on the quality of the received submissions and the feedback from the developer community.”
The components that are part of the program during the initial phase include:
- Core infrastructure network services: OpenSSH, BIND, ISC DHCP
- Core infrastructure image parsers: libjpeg, libjpeg-turbo, libpng, giflib
- Open-source foundations of Google Chrome: Chromium, Blink
- Other high-impact libraries: OpenSSL, zlib
- Security-critical, commonly used components of the Linux kernel (including KVM)
In order to qualify for a reward from Google, the patch submission from the developer has to have a “demonstrable, significant, and proactive impact on the security” of a given component. The program extends to developers who work on the projects as well as external developers who just see a problem they want to help fix. To qualify for a reward, the submitted patch has to actually ship.
In addition to the reward of up to $3,133.7, Google may pay out higher rewards for really clever submissions.
“We may choose higher rewards for unusually clever or complex submissions; we may also split the reward between the submitter and the maintainers of the project in cases where the patch required a substantial additional effort on behalf of the development team,” the rules of the program say.
Developers submit their patches directly to the maintainers of a given project, and once the patch actually ships as part of the project, they simply send an email to Google with the details.
