Google Offers Cash For Security Fixes To Linux and Other FOSS Projects

jrepin writes "Google is offering rewards as high as $3,133.70 for software updates that improve the security of OpenSSL, OpenSSH, BIND, and several other open-source packages that are critical to the stability of the Internet. The program announced Wednesday expands on Google's current bug-bounty program, which pays from $500 to $3,133.70 to people who privately report bugs found in the company's software and Web properties." Google isn't the only company that sees the value in rewarding those who find security problems: Microsoft just paid British hacker James Forshaw $100,000 for finding a serious security flaw in Windows 8.1.

No.

[girlintraining]

Which pays from $500 to $3,133.70 to people who privately report bugs found in the company's software and Web properties."

Okay Google, that's just not nice. That's a slap in the face. So I'm not gonna be nice in my reply to you either. Everyone -- if you have a security vulnerability in a google product; Sell it on the black market. You can easily get a hundred grand for a popular product. Easily. The criminals will actually pay you what you're worth, as opposed to cheap-ass Google here, who thinks short-changing you can be forgiven because they worked "31337" into the pay off.

Screw you Google. Pay people what the vulnerability is actually worth, and protect your clients properly -- because a hundred grand is a lot less than they're gonna be hurting when their systems get pwned. You aren't "31337". You're ID10T5.

Re:No.

[girlintraining]

They could keep the theme and just add some zeros.

They purposefully shifted the decimal point. '31337' would be 31 grand. Still short of the mark, but it wouldn't be a slap in the face then. I have this sneaking suspicion that the only reason they're offering this is so when they find the people who cashed in they can say at their trial "oh no, they're extra evil because they weren't doing it for money... they wanted to hurt us!" ... Er, yeah, sure okay, whatever. Guys, grow a brain. Seriously. You're asking people to voluntarily step forward and announce to the government they have the ability to find exploits in popular software products for a measily couple of grand.

"Yeah. Here's your three grand, welcome to the terror watchlist!" ... You'd have to be criminally stupid to come forward with an exploit for that paltry sum. White hats aren't even that stupid. They go work for companies making six figures as "security researchers" to put up with the hassle of having the SWAT team bust in their door every now and then. They don't do it for peanuts.

Re:No.

[girlintraining]

But why should Google pay 31,337 or 313,370 for bugs in OTHER PEOPLE'S software?

*facepalm* Google is using open source products as a foundation for their own offerings to their clients. That means they have a fiduciary responsibility to ensure their offerings are secure. It's like contractors building a house; They have a professional responsibility to ensure the building materials are up to code. They can't just build a house and when it later collapses and kills the owner say "Oh, well, nobody told us those screws were made out of pure iron and rusted away in a few months and killed everyone inside." They were supposed to check. They certified that house was safe; It's their job to make sure the materials are free of obvious defects.

This is Google's (pathetic) attempt to meet that fiduciary responsibility to their clients, who are using their products, with these "building materials". But the thing is, Google isn't hiring people to actually look at the code and submit changes if problems were found (either internally patched/unreleased, or publicly available; The license allows for either). That would be the truly responsible thing to do. What they're doing is saying this most miniscule of efforts, so pathetically inadequate as to actually inspire resentment on the part of people who do this sort of work (legally or otherwise), is sufficient to shield themselves from legal liability.

Maybe it is. I'm not a lawyer. But it falls well short of being good business ethics, no matter how you cut it. Google is engaging in a reckless business strategy to save money. Shame on them.

Re:No.

[girlintraining]

THey could just not bother at all. is there anyone else offering bug bounties on software they didn't even write to begin with? Anyone?

They're making offerings that use this software as part of it. They have a fiduciary responsibility to ensure their offering is secure, which means they need to make sure the software components, regardless of who made them, is also secure.

Every company that uses open source products should be making financial contributions to those products to ensure they meet the same standards their own product offerings do. If they aren't willing to do that, they have no business using the product to begin with; Open source wasn't created so corporations could get 'freebies' to cut costs. OSS costs money too.

Pony up, Google.

Re:No.

[girlintraining]

Still, I think they should get a little credit for offering money for stuff that benefits us all (including them of course).

They get NO credit. None. They're raking in billions of dollars on products which use this software. Imagine if similar products were only available through commercial vendors. They'd be paying tens to hundreds of millions in licensing and support fees every year for the guarantee that bugs found would be fixed, and proper code auditing had been done to minimize vulnerabilities. Instead, they get handed a free beer and told they can have as many more as they want, with the only thing being a stipend at the bottom saying "If you really like this product, please donate some money to the authors so they can continue work on it."

No. Google gets no credit. Google fails. Google is booted out of the class and banned from school. These people are being so unbelievably cheap and unethical at the same time they deserve nothing but our ridicule.

Re:No.

[girlintraining]

So you mean to say

"You mean to say" is a massive hint that a strawman is about to happen...

it said anywhere "So, dudes, we're gonna fire all our developers and now we'll just pay you for patches, whatevs"?

... and there it is.

Some of those projects they intend to support aren't even probably used by Google - eg., they're going to pay for working on Sendmail, Postfix and Exim, you think they're using all of them?

I don't think; I know. They're a business. Their mission statement includes the requirement that they are for-profit. Which means if they're just throwing money away like this, they'd be in trouble with the SEC and their stockholders.

Troll fucking harder.

You just tried that, and it failed. I'd have to agree; you need to work on it a bit more.

Re:No.

[girlintraining]

... or they'd write it themselves and release it as open-source. They've done it with other tools, and even a mobile operating system. Every other tech company in the world is using these same infrastructure technologies as Google and you're ranting at the one company that is paying at least something, albeit not really enough. I think you're outrage is a little misdirected.

Could you be any more transparent about being paid to write these comments? Please list these "other tools" they released and then stopped developing for, but kept using, and switched over to a "bug bounty" program as the sole method of encouraging people to continue work on them.

As well, your comment that Android is open source is laughable. Parts of Android are open source. And they licensed it under the Apache license specifically so they could keep some parts proprietary. And if you knew anything about mobile devices, it's that the OS only forms one half of the picture; Every device needs its own drivers and glue logic on it before the OS can be bolted in on top of it. None of this is available. It is effectively useless without those components.

Every other tech company in the world is using these same infrastructure technologies as Google and

... First, when people use words like always, never, etc., they're wrong. I mean, anyone who's been through high school knows that a true/false question containing one of those words is a 'freebie'. Second, of the less than every tech companies that use those products, they also have the same fiduciary responsibility if they are publicly-traded (as Google is) to ensure the products and services they offer meet quality control standards. Those companies very often meet that responsibility by contributing money for the ongoing development of the products they use.

I think you're outrage is a little misdirected.

I'm afraid I can't change my opinion of them until money is deposited into my bank account. Until then, all I have to go on is a basic understanding of business ethics and my somewhat more advanced understanding of the field of IT.