Google applies bug bounty model to open-source projects

Google applies bug bounty model to open-source projects

Summary: The search giant will reward large security improvements to open-source projects that power the internet.

SHARE:

After handing out millions of dollars in security bug bounties, Google is extending the model to reward security improvements made to a selection of open-source projects.

This new program, dubbed Patch Rewards, is focused on patches that have a "demonstrable, significant, and proactive impact" on security, rather than rewarding developers for bug fixes, as the current Vulnerability Reward Program does.

"We thought about simply kicking off an OSS bug-hunting program, but this approach can easily backfire," wrote Michal Zalewski of the Google security team in a blog post.

"In addition to valid reports, bug bounties invite a significant volume of spurious traffic — enough to completely overwhelm a small community of volunteers.

"On top of this, fixing a problem often requires more effort than finding it."

For a patch to be eligible for payment, it must be submitted directly to the maintainers of a selected project, merged into the source code repository of the project, and be part of a project release. Only after that process is complete can developers submit their patch to the Patch Reward program.

Should a project reject a patch, the developer will have no recourse to apply to Google for payment, with the search giant saying the sole decision to accept a patch is up to maintainers of open-source projects.

"Given the nature of the program, we do not wish to second-guess the decisions of those managing the project," the company said.

Examples given by Google of improvements that would qualify for Patch Rewards are: Improvements to privilege separation, Memory allocator hardening, cleanups of integer arithmetics, systematic fixes for various types of race conditions, elimination of error-prone design patterns, and library calls.

"Reactive patches that merely address a single, previously discovered vulnerability will typically not be eligible for rewards," says the Patch Rewards page.

The first announcements of valid projects are OpenSSH, BIND, ISC DHCP, libjpeg, libpng, giflib, Chromium, Blink, OpenSSL, zlib, and "Security-critical, commonly used components" of the Linux kernel.

In the next few weeks, Google intends to add Apache httpd, lighttpd, nginx, Sendmail, Postfix, Exim, GCC, binutils, llvm, and OpenVPN to the program.

Developers on any of these open-source projects are eligible for payment from Google.

Rewards range from $500 to $3,133.70, depending on the "demonstrable, positive impact on the security of the project" that a patch has, as judged by a panel from Google's security team.

Topics: Security, Google, Open Source

About

Chris started his journalistic adventure in 2006 as the Editor of Builder AU after originally joining CBS as a programmer. After a Canadian sojourn, he returned in 2011 as the Editor of TechRepublic Australia, and is now the Australian Editor of ZDNet.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

3 comments
Log in or register to join the discussion
  • More open source bug bounties from Google, @Said Enough, where are you?

    From the article:
    o "The first announcements of valid projects are OpenSSH, BIND, ISC DHCP, libjpeg, libpng, giflib, Chromium, Blink, OpenSSL, zlib, and "Security-critical, commonly used components" of the Linux kernel."
    o "In the next few weeks, Google intends to add Apache httpd, lighttpd, nginx, Sendmail, Postfix, Exim, GCC, binutils, llvm, and OpenVPN to the program."
    Rabid Howler Monkey
  • Article: "Security-critical, commonly used components of the Linux kernel"

    Google is going directly against Linux creator and head maintainer Linus Torvalds wishes by putting Linux kernel security bugs on a pedestal. In fact, I wonder if Linus will speak out against this action by Google. More here:

    "Torvalds criticises the 'security circus'
    July 17, 2008
    http://www.zdnet.com/torvalds-criticises-the-security-circus-1339290671/
    "Torvalds said that taking the bugs to the "security circus" level only glorified the wrong kind of behaviour. "It makes heroes out of security people, as if the people who don't just fix normal bugs aren't as important,"
    Rabid Howler Monkey
  • Ya

    Google needs bounties. Chrome browser v30 fixed 50 vulnerabilities found [and hopefully fixe] in the previous version. Who knows what they'll find in their other stuff.
    Gisabun