Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Offers Cash For Security Fixes To Linux and Other FOSS Projects

Posted by timothy on from the enlightened-self-interest dept.

jrepin writes "Google is offering rewards as high as $3,133.70 for software updates that improve the security of OpenSSL, OpenSSH, BIND, and several other open-source packages that are critical to the stability of the Internet. The program announced Wednesday expands on Google's current bug-bounty program, which pays from $500 to $3,133.70 to people who privately report bugs found in the company's software and Web properties." Google isn't the only company that sees the value in rewarding those who find security problems: Microsoft just paid British hacker James Forshaw $100,000 for finding a serious security flaw in Windows 8.1.

3 of 94 comments (clear)

  1. Re:No. by oodaloop · · Score: 4, Informative

    Okay Google, that's just not nice.

    Google paying people for finding bugs in software that Google didn't produce isn't nice? Who else does that?

    --
    Tic-Tac-Toe, Global Thermonuclear War, and relationships all have the same winning move.
  2. Re:Why not pay the OpenSSH project, Google? by Anonymous Coward · · Score: 3, Informative

    DNRTFA; comment about "a separate security reporting structure" anyways!

    Code fixes should be submitted directly to the maintainers of the individual projects. Once the patch is accepted and merged into the repository, submitters should e-mail the details to security-patches@google.com. "If we think that the submission has a demonstrable, positive impact on the security of the project, you will qualify for a reward ranging from $500 to $3,113.70," Zalewski said.

    PS:

    Q: I’m a core developer working on one of the in-scope projects. Do my own patches qualify?
      A: Most certainly!

    PPS:

    The people and organizations who have contributed money, equipment, or services to OpenSSH are not kept separate, but are combined with the list of people who have donated to all OpenBSD projects. That list can be found at the main OpenBSD donation page.

    If you'd care to search for "Google" on that page, you'd see it's already there in list of donors.

  3. Re:Why not pay the OpenSSH project, Google? by Anonymous Coward · · Score: 2, Informative

    Google rakes in BILLIONS and can't annually fund one developer's worth of money to a project like OpenSSH as a tax deductible donation or written off as R&D? Really?

    Um, for one, Google's listed on the OpenBSD donors page: http://www.openbsd.org/donations.html#people. Second, Google employs Damien Miller, who is one of the lead OpenSSH developers. Google employs a bunch of other OpenBSD developers too.