Google Offers Cash For Security Fixes To Linux and Other FOSS Projects

jrepin writes "Google is offering rewards as high as $3,133.70 for software updates that improve the security of OpenSSL, OpenSSH, BIND, and several other open-source packages that are critical to the stability of the Internet. The program announced Wednesday expands on Google's current bug-bounty program, which pays from $500 to $3,133.70 to people who privately report bugs found in the company's software and Web properties." Google isn't the only company that sees the value in rewarding those who find security problems: Microsoft just paid British hacker James Forshaw $100,000 for finding a serious security flaw in Windows 8.1.

No.

[girlintraining]

Which pays from $500 to $3,133.70 to people who privately report bugs found in the company's software and Web properties."

Okay Google, that's just not nice. That's a slap in the face. So I'm not gonna be nice in my reply to you either. Everyone -- if you have a security vulnerability in a google product; Sell it on the black market. You can easily get a hundred grand for a popular product. Easily. The criminals will actually pay you what you're worth, as opposed to cheap-ass Google here, who thinks short-changing you can be forgiven because they worked "31337" into the pay off.

Screw you Google. Pay people what the vulnerability is actually worth, and protect your clients properly -- because a hundred grand is a lot less than they're gonna be hurting when their systems get pwned. You aren't "31337". You're ID10T5.

Re:No.

[h4rr4r]

They could keep the theme and just add some zeros.

Re:No.

[andydread]

THey could just not bother at all. is there anyone else offering bug bounties on software they didn't even write to begin with? Anyone?

Re:No.

They could keep the theme and just add some zeros.

3133.7 x 10 to the power of ___?

Re:No.

[girlintraining]

They could keep the theme and just add some zeros.

They purposefully shifted the decimal point. '31337' would be 31 grand. Still short of the mark, but it wouldn't be a slap in the face then. I have this sneaking suspicion that the only reason they're offering this is so when they find the people who cashed in they can say at their trial "oh no, they're extra evil because they weren't doing it for money... they wanted to hurt us!" ... Er, yeah, sure okay, whatever. Guys, grow a brain. Seriously. You're asking people to voluntarily step forward and announce to the government they have the ability to find exploits in popular software products for a measily couple of grand.

"Yeah. Here's your three grand, welcome to the terror watchlist!" ... You'd have to be criminally stupid to come forward with an exploit for that paltry sum. White hats aren't even that stupid. They go work for companies making six figures as "security researchers" to put up with the hassle of having the SWAT team bust in their door every now and then. They don't do it for peanuts.

Re:No.

Surely if one were to fix those vulnerabilities for free anyway, a cheque would be an awesomely nice present? If you're going to do it for profit, rather than for the greater good, I'm sure you'd find some channels with or without Google.

Re:No.

[stewsters]

The NSA does.

Re:No.

They aren't asking people to fix THEIR software.

OpenSSL is free open source library, not maintained by Google.
OpenHHS is free open source library, not maintained by Google
BIND is free open source... oh you get the picture.

They are asking people to open libraries that everyone is using. OpenSSL is library used to proved encryption for HTTPS requests, emails sent over TLS, etc. OpenSSH is what almost all ssh servers and clients use to securely login and encrypt communication end to end.

The motivation for fixing these is the fact that your internet access to your bank account depends on it. Google is just sweetening the pot. Selling exploits in these libraries would be the same as selling the bank account of almost every American.

This is a publicity move based on the disclosure of PRISM. The back doors in OpenSSH and OpenSSL were baked in on purpose by NSA. This was disclosed in the Snowden documents. Google wants these to be patched, and wants people to see that they helped get them patched, but because of PRISM, Google wouldn't be trusted to submit code upstream. This is an attempt at spreading "we care about the community" not their typical "we're paying people peanuts for fixing out software."

Re:No.

Why not just sell the vulnerability to both? Then you can honestly say that (1) you've committed "responsible disclosure" by telling the vendor first and (2) you give the criminals a potentially very worthless vulnerability if the vendor reports mitigation that makes the vulnerability near useless.

Re:No.

I know what you meant, but what you said would equate to:
$3,133.70 + $0 + $0 + $0 + $0 = $3,133.70

But why should Google pay 31,337 or 313,370 for bugs in OTHER PEOPLE'S software?

Re:No.

[Nerdfest]

Keep in mind that this is open-source software. Most people fix these for free right now. This this throws a bit of incentive out there for people to look a little more actively. For their own closed products products like Chrome though, yeah, the amounts are way too low. Still, I think they should get a little credit for offering money for stuff that benefits us all (including them of course).

Re:No.

[harvestsun]

The black market has a much higher demand for vulnerabilities, and there's also some inherent risk for such dealings, so it makes sense that the price would be higher. If you want to go with that route, go ahead, Google isn't forcing you. Google is just offering compensation based on what the defects are worth to them; I don't know why you would expect otherwise.

Re:No.

"Yeah. Here's your three grand, welcome to the terror watchlist!" ... You'd have to be criminally stupid to come forward with an exploit for that paltry sum.

Yeah. It is much better to sell it to the bad guys. That way you are tied to a "terrorist organization" and enough charges to put you in gitmo. At least here you keep the guise of "ethical hacker". How much money you get for your work isn't the point here. It is to give people a way to monetize a security flaw they have found without becoming a criminal because, hey, that is the only way I get money for finding this!

On the same note, they can't make it a substantially huge sum of money for the bounty for simple good business sense reasons. The amount of security flaws in software X is Y. No one knows the value of Y. Imagine them offering $100k instead and then 10000+ qualified vulnerabilities come flooding in. That would be $1B+ in dues they owe

Re:No.

[Sarten-X]

What is your conscience worth to you?

Researchers have been responsibly reporting vulnerabilities for decades, usually out of an altruistic desire to make the world a little safer. The extra cash is just a token of appreciation, not a work-for-hire deal. Heck, a lot of researchers are already getting paid on salary to do the work that leads them to the bugs.

Re:No.

[oodaloop]

Okay Google, that's just not nice.

Google paying people for finding bugs in software that Google didn't produce isn't nice? Who else does that?

Re:No.

I always wonder why people are upmodding obvious uninformed troll comments of yours.

Seriously, Google is paying for working on third-party open source projects - and you go all "Fuck you, I want more!!11", and some idiot mods you up.

Note that it's not even simply for fixing vulnerabilities, it's all kinds of improvements you might have been doing on your own - TFA quotes "Whether you want to switch to a more secure allocator, to add privilege separation, to clean up a bunch of sketchy calls to strcat(), or even just enable ASLR".

PS: I get it! You're just testing how many mods don't RTFA (though they seemingly don't even RTFC they're modding up often).

Re:No.

[girlintraining]

But why should Google pay 31,337 or 313,370 for bugs in OTHER PEOPLE'S software?

*facepalm* Google is using open source products as a foundation for their own offerings to their clients. That means they have a fiduciary responsibility to ensure their offerings are secure. It's like contractors building a house; They have a professional responsibility to ensure the building materials are up to code. They can't just build a house and when it later collapses and kills the owner say "Oh, well, nobody told us those screws were made out of pure iron and rusted away in a few months and killed everyone inside." They were supposed to check. They certified that house was safe; It's their job to make sure the materials are free of obvious defects.

This is Google's (pathetic) attempt to meet that fiduciary responsibility to their clients, who are using their products, with these "building materials". But the thing is, Google isn't hiring people to actually look at the code and submit changes if problems were found (either internally patched/unreleased, or publicly available; The license allows for either). That would be the truly responsible thing to do. What they're doing is saying this most miniscule of efforts, so pathetically inadequate as to actually inspire resentment on the part of people who do this sort of work (legally or otherwise), is sufficient to shield themselves from legal liability.

Maybe it is. I'm not a lawyer. But it falls well short of being good business ethics, no matter how you cut it. Google is engaging in a reckless business strategy to save money. Shame on them.

Re:No.

[TheCarp]

I was going to say criminals but now its partially redundant.

Re:No.

More like "smoke and mirror". Read Mr Schmitt's book on how they want to be part of World Government. Or should I say "bad cop, good cop" ?

If you trust Google, you can trust Alexander, too.

Re:No.

I agree, screwing over potentially very dangerous criminals is totally worth it Google reports that it sent you a 3133.7 check for fixing the same vulnerability.

Re:No.

If you're willing to sell your vulnerability to criminals, harming others just to line your own pockets... well you're probably not the sort of person they want to bother dealing with.

(Scum.)

Re:No.

[girlintraining]

THey could just not bother at all. is there anyone else offering bug bounties on software they didn't even write to begin with? Anyone?

They're making offerings that use this software as part of it. They have a fiduciary responsibility to ensure their offering is secure, which means they need to make sure the software components, regardless of who made them, is also secure.

Every company that uses open source products should be making financial contributions to those products to ensure they meet the same standards their own product offerings do. If they aren't willing to do that, they have no business using the product to begin with; Open source wasn't created so corporations could get 'freebies' to cut costs. OSS costs money too.

Pony up, Google.

Re:No.

I am convinced this person has a set of self-upvote accounts. Their posts get marked up seconds after they are made, regardless how trollish or uninformed that they are

Re:No.

[Joining+Yet+Again]

This, a thousand times.

OP just sounded like, "Fuck you, I'm using my skills for extortion!"

Anyway, a criminal would sell the flaw to every market. So it makes absolute sense not to start an arms race with the mafia.

Re:No.

If you don't want to become a criminal yourself, the responsible thing would still be to report the vulnerability to the actual authors of the packages. Yes, that probably won't get you any money, but who tells you that Google will pass on the bug report and/or fix to the actual authors, and that they do so in a timely manner? If you report to the actual authors, you'll be assured that everyone gets the fix as soon as it exists.

Also, I guess in cases where Google does forward it to the authors, it will be recorded there as "reported by Google", improving Google's image instead of yours.

Re:No.

[girlintraining]

Still, I think they should get a little credit for offering money for stuff that benefits us all (including them of course).

They get NO credit. None. They're raking in billions of dollars on products which use this software. Imagine if similar products were only available through commercial vendors. They'd be paying tens to hundreds of millions in licensing and support fees every year for the guarantee that bugs found would be fixed, and proper code auditing had been done to minimize vulnerabilities. Instead, they get handed a free beer and told they can have as many more as they want, with the only thing being a stipend at the bottom saying "If you really like this product, please donate some money to the authors so they can continue work on it."

No. Google gets no credit. Google fails. Google is booted out of the class and banned from school. These people are being so unbelievably cheap and unethical at the same time they deserve nothing but our ridicule.

Re:No.

Double facepalm.

So you mean to say it said anywhere "So, dudes, we're gonna fire all our developers and now we'll just pay you for patches, whatevs"?

So you mean to say all the other good companies are paying hand over fist for working on those? Apple uses OpenSSH since Mac OS X 10.0.1 and used OpenSSL until 10.7 - where does a volunteer apply to get money from Apple for working on it?

Some of those projects they intend to support aren't even probably used by Google - eg., they're going to pay for working on Sendmail, Postfix and Exim, you think they're using all of them?

Troll fucking harder.

Re:No.

[Nerdfest]

... or they'd write it themselves and release it as open-source. They've done it with other tools, and even a mobile operating system. Every other tech company in the world is using these same infrastructure technologies as Google and you're ranting at the one company that is paying at least something, albeit not really enough. I think you're outrage is a little misdirected.

Re:No.

[Beorytis]

Google isn't hiring people to actually look at the code and submit changes if problems were found (either internally patched/unreleased, or publicly available; The license allows for either). That would be the truly responsible thing to do.

Maybe they plan on hiring people, but they're establishing the market wages for that job in advance.

Re:No.

So, all the big companies that use all those projects - yeah, girl, these are used by most big IT companies out there - and are paying 0 (zero, zilch, no) dollars to the volunteers - do those get negative credits then, or what?

Re:No.

[Baloroth]

Google isn't hiring people to actually look at the code and submit changes if problems were found

And your evidence for that is... what, exactly? They have a bug bounty program (and of course this new program, which has nothing to do with bugs or security holes at all, so technically this whole thread is quite offtopic, but anyways). That does not mean they don't also have internal testers. The idea that they don't is entirely inside your head (unless you have some pretty compelling evidence Google hires no software testers, which would be... well, pretty fucking astonishing if actually true).

A bug bounty program exists because in complex software some bugs will always (always) slip through, no matter if you paid thousands of testers for thousands of hours to test it. By having an external program, you basically end up with millions of (extra) testers. Untrained ones, who will probably catch one-thousandth the bugs your primary testers do (especially because the glaring ones are usually fixed long before the public sees the program), but extra testers nevertheless.

Anyways, actually relevant to the story: this new program is Google paying people who add security features to existing FOSS projects. You know, like the developers of that software already do for free (well, some of them do anyways, quite a few of the features are added by developers paid to work on some project or another). Only now, they can earn a little extra money on the side for it (which they couldn't even do selling "exploits" because they aren't finding exploits, they're adding extra security features). The story is that Google is giving people money to make the Internet as a whole more secure (or in other words paying people not to fix problems in Google's code, but to make non-Google software better in general).

Re:No.

[Princeofcups]

Okay Google, that's just not nice. That's a slap in the face. So I'm not gonna be nice in my reply to you either. Everyone -- if you have a security vulnerability in a google product; Sell it on the black market. You can easily get a hundred grand for a popular product.

Reminds me of the referral bonus they offered at a place I worked a while ago. The bonus was $500. However they were willing to pay $25,000 to a head hunter for the same service. Needless to say, not many people bothered to take them up on it.

Re:No.

[girlintraining]

So you mean to say

"You mean to say" is a massive hint that a strawman is about to happen...

it said anywhere "So, dudes, we're gonna fire all our developers and now we'll just pay you for patches, whatevs"?

... and there it is.

Some of those projects they intend to support aren't even probably used by Google - eg., they're going to pay for working on Sendmail, Postfix and Exim, you think they're using all of them?

I don't think; I know. They're a business. Their mission statement includes the requirement that they are for-profit. Which means if they're just throwing money away like this, they'd be in trouble with the SEC and their stockholders.

Troll fucking harder.

You just tried that, and it failed. I'd have to agree; you need to work on it a bit more.

Re:No.

[zidium]

Who's Alexander? No, seriously.

Re:No.

I'd take the 30 grand.

Re:No.

[girlintraining]

... or they'd write it themselves and release it as open-source. They've done it with other tools, and even a mobile operating system. Every other tech company in the world is using these same infrastructure technologies as Google and you're ranting at the one company that is paying at least something, albeit not really enough. I think you're outrage is a little misdirected.

Could you be any more transparent about being paid to write these comments? Please list these "other tools" they released and then stopped developing for, but kept using, and switched over to a "bug bounty" program as the sole method of encouraging people to continue work on them.

As well, your comment that Android is open source is laughable. Parts of Android are open source. And they licensed it under the Apache license specifically so they could keep some parts proprietary. And if you knew anything about mobile devices, it's that the OS only forms one half of the picture; Every device needs its own drivers and glue logic on it before the OS can be bolted in on top of it. None of this is available. It is effectively useless without those components.

Every other tech company in the world is using these same infrastructure technologies as Google and

... First, when people use words like always, never, etc., they're wrong. I mean, anyone who's been through high school knows that a true/false question containing one of those words is a 'freebie'. Second, of the less than every tech companies that use those products, they also have the same fiduciary responsibility if they are publicly-traded (as Google is) to ensure the products and services they offer meet quality control standards. Those companies very often meet that responsibility by contributing money for the ongoing development of the products they use.

I think you're outrage is a little misdirected.

I'm afraid I can't change my opinion of them until money is deposited into my bank account. Until then, all I have to go on is a basic understanding of business ethics and my somewhat more advanced understanding of the field of IT.

Re:No.

Strawmaning a strawman, now _THAT'S_ cool. Seriously, you said "Google isn't hiring people to actually look at the code and submit changes if problems were found" - how else can one understand that except for how I did?

I don't think; I know. They're a business. Their mission statement includes the requirement that they are for-profit. Which means if they're just throwing money away like this, they'd be in trouble with the SEC and their stockholders.

And more misinformedness. Care to point out a citation from their "mission statement", which you've surely studied thoroughly and not at all pulling this out of thin air?

Stuff this overused urban myth already. Do you think any corporations doing things like giving to charities are soon to be shaken thoroughly by SEC and stockholders too? Because they often do this and this is surely not "for-profit" and is "throwing money away".

Officer's duty is usually defined by leading bona-fide and in the interests of corporation - "keeping positive public image" is surely in the interests of corporation (and as they claim "making Internet safer as whole" is there too, but this statement can be rooted in the former for all we know).

Re:No.

I wholly agree. Moreover, vulnerability discovery is only something you can put on your resumé if made to the good guys. In the long run and wisely used, that alone dwarfs anything that companies could afford to pay for each and every vulnerability discovered.

Re:No.

[behrooz0az]

Are you a moron or just trying to look like one?
You don't get to vote on slashdot like that.

Re:No.

If you're dealing with potentially very dangerous criminals, you're already well past the point where you should be hedging your safety on just how screwed over they feel from your actions--that is, you want to be untraceable as possible regardless.

Beyond that obvious point, as much as you don't want said dangerous criminals able to track you down, you surely don't want any government body to track you down either as they likely won't be much happier--Google's handlers or MS's handlers or whoever are certain to have a Congressman's ear and American has demonstrated it has little regard for international law, the life of foreigners, and very little regard even for laws in its own country when a Congressman wants their way--fuck the whole Constitutional provision of Bills of Attainder. Of course, perhaps by "very dangerous criminals" you were speaking of Congressman, so then I'm just repeating myself.

Re:No.

Sure you do. Have a dozen accounts, all that connect from different spaces when commenting (work, school, proxy 1,2,3). Any of a few which will have mod points at any time. Make a comment under one persona, have the others mod it up. It has been done before (RIP Klerck) and the people who tend to frequent this site are quite technically capable of doing just this.

Re:No.

Not only is it not their software, a majority of it is not even in use by google. They have their own replacement for BIND, they don't use Apache, etc. They are just being great netizens. I think we have all been trolled by "girlintraining"....

Re:No.

[HoldmyCauls]

How many exploits do they have to find as "security researchers" in order to make six figures? You really think those companies that hire them pay six figures for just one (apparently, since you called a 5-digit payout per exploit "short of the mark"). That amount of money adds up quickly for those with the expertise, and they don't even have to be under Google's employ to earn it, meaning that their options are open and other companies won't balk from fixes and reports coming from a potential competitor, and they can increase their worth by finding multiple exploits in a given length of time. I don't have that level of expertise, but from what I gather, the potential in a professional white hat is often so great that they can dedicate their time to it without having a full-time job.

Re:No.

Keith Brian Alexander (born December 2, 1951) is a four-star general in the United States Army who currently serves as Director of the National Security Agency (DIRNSA), Chief of the Central Security Service (CHCSS) and Commander of the United States Cyber Command.

The book and "World Government" thing are probably a reference to those Google-State Dept. allegations.

Re:No.

Huzzah. Does anyone know how long it takes Google to make $3,133.70?

CHeap-ass mu-fuhs.

Re:No.

Wow this post is quite comical and purposely being stupid and catering to mods.

Re:No.

They/S/he is catering to mods, I don't think the opinion is held strongly by the poster. Some will mod for agenda.

Re:No.

The criminals will actually pay you what you're worth

Anyone who supplies criminals with tools to commit crime is worth only the time he should spend in jail. Just because criminals pay better doesn't mean people should do it. In fact, In ideal world people wouldn't ask for money for such a thing, just like they don't ask for money when they point out a busted headlight to a random driver.

Then again, in an ideal world there would be no criminals and no need for security...

Still, that doesn't justify what you're advocating. If anything, this gives the government more ammunition to label everyone with the slightest bit of IT knowledge a "potential criminal" and further extend the surveillance and curb on-line freedom. So, don't do it. Don't sell exploits to criminals.

Re:No.

[girlintraining]

And your evidence for that is... what, exactly?

The lack of job postings was a clue.

They have a bug bounty program...

Yes, one that's almost painfully cheap.

some bugs will always (always) slip through, no matter if

You're using the Nirvana Fallacy. Just because some bugs will slip through is not an excuse not to take due diligence in preventing them. And what Google is doing is not due diligence.

Untrained ones, who will probably catch one-thousandth the bugs your primary testers do

Which just goes to my original point: Giving financial support to the developers and maintainers of the product would be both (a) an actual contribution towards creating a reliable product, and (b) be significantly more effective.

this new program is Google paying people who add security features to existing FOSS projects.

You're confused. Bug fixing is not the same as adding security features. However, on the off chance you are serious... citation needed. And... still off topic.

The story is that Google is giving people money to make the Internet as a whole more secure...

Recent stories about Google cooperating with the NSA to spy in citizens all over the world is a strong mark against your assertion. And a few dollars spent on bug fixing and adding security features (if that's even a real story) does not compensate the massive security failings this company has, and continues to, engage in.

Re:No.

Again, you're building strawmen based on your uninformedness and fervently protect them.

The lack of job postings was a clue.

And the fact you're not asking for a spare brain on your personal page means you're now operating without one. Did you consider that it might mean "Google already has enough developers working on this and is now padding it out further with volunteers"? Do you regularly check Google's job postings?

Which just goes to my original point: Giving financial support to the developers and maintainers of the product would be both (a) an actual contribution towards creating a reliable product, and (b) be significantly more effective.

Yes, and Google does give financial support. For example, they're one of the donors of OpenBSD/OpenSSH project.You're again acting on "Absence of evidence == evidence of absence" premise.

You're confused. Bug fixing is not the same as adding security features. However, on the off chance you are serious... citation needed. And... still off topic.

Read the fucking article once in a while, would you? How the fuck is this offtopic, when this is exactly what this is all about?

So we decided to try something new: provide financial incentives for down-to-earth, proactive improvements that go beyond merely fixing a known security bug. Whether you want to switch to a more secure allocator, to add privilege separation, to clean up a bunch of sketchy calls to strcat(), or even just to enable ASLR - we want to help!

The story is that Google is giving people money to make the Internet as a whole more secure...

Recent stories about Google cooperating with the NSA to spy in citizens all over the world is a strong mark against your assertion.

The fuck does it even mean? You reject his statement, i.e. you believe this story is about Google giving money to keep the Internet as secure as before, or less? You don't believe people working on making all those projects more secure would help it?..

Did you write it just to work in an NSA reference? Will you now call me out as a NSA-Google shilling detractor for breaking this argument?

Re:No.

Do you regularly check Google's job postings?

No, you just go to the website and search for all the postings that match; Old postings are shown, not just current ones.

You're again acting on "Absence of evidence == evidence of absence" premise.

All of Google's contributions are made available as part of its quarterly SEC filings.

Read the fucking article once in a while, would you? How the fuck is this offtopic, when this is exactly what this is all about?

I'd say the same thing to you, albeit with fewer cuss words.

The fuck does it even mean? You reject his statement, i.e. you believe this story is about Google giving money to keep the Internet as secure as before, or less? You don't believe people working on making all those projects more secure would help it?..

Are you intentionally dense, or are you really this stupid? We're talking about Google's fiduciary responsibility and what would be sufficient in meeting it. You went off on a the tangent about how google is great and blah blah blah... I simply pointed out your statement was wrong and went back to the original topic. I will not entertain you further on this.

Did you write it just to work in an NSA reference? Will you now call me out as a NSA-Google shilling detractor for breaking this argument?

No, I think I'll just go with "moron".

-- Guess who this is. I've gotten tired of ACs leeching away my karma by being so totally stupid and then replying to them gets me caught in the cross-fire when the mods try to shut you assholes up.

Re:No.

[viperidaenz]

BIND is developed by isc.org. They're entirely funded by donations.
The complete re-write that is BIND 9 was entirely funded by a group of companies, the likes of Sun and IBM and others. Of course this happened before Google existed.

Re:No.

[viperidaenz]

I don't think; I know. They're a business. Their mission statement includes the requirement that they are for-profit. Which means if they're just throwing money away like this, they'd be in trouble with the SEC and their stockholders.

So when any for profit company makes a donation to a charity they'll get in trouble with the SEC?

What about all the money Google throws at Google Drive, Gmail and all those other free services? They make the company no direct money. Their income comes from advertising.

Every cent a company spends is not required to be directly translatable in to profit.

Re:No.

[viperidaenz]

Should Google fire the OpenSSH developers they employ (Like this guy)? Should they stop donating to OpenBSD as shown here?

Re:No.

Rage much?

There are millions of other businesses that use FOSS and don't contribute back at all. While Google isn't the best when it comes to rewarding people for FOSS work, they are hardly the worst. Your rant makes you seem awfully petty. I think you need more training in the ways of woman. That's way too Angry Nerd Man. Dial up the femme hormones.

Re:No.

"This is a publicity move based on the disclosure of PRISM. The back doors in OpenSSH and OpenSSL were baked in on purpose by NSA." Your evidence? Prism was on the server-side of these common services anyways such then end to end encryption would be a moot point. Why did the FBI go to the courts to demand lavabit give up thier SSL key if they could have got in the back door?

Re:No.

"Yeah. It is much better to sell it to the bad guys."

That's what you're doing when you sell it to Google. They're just going to sell it to NSA to be used against all of us.

Anything I find goes to the public. And yeah, maybe a few people'll get nailed by some fast-reacting script kiddy. But the holes will get plugged a lot faster and overall I believe the larger number will be better off.

Re:No.

Ah, the original use of "Anonymous Coward " comes out. Your opinions aren't popular ones here ( quite possibly because they are bombastic and lack a certain grounding in reality, but that's beside the point). That's what Karma measures. It looks like you care way too much about other people's opinions of you. You're not getting caught in cross fire, You're the main target.

Re:No.

[MikeBabcock]

Your tagline has it wrong, you just are a troll. Your post contains no usable argument points whatsoever.

One's income has no bearing on the good one does.

Re:No.

[jones_supa]

Well, they make $10 billion profit per year, so it takes quite accurately 1 second for them to earn $3,133.70.

Re:No.

Every company that uses open source products should be making financial contributions to those products to ensure they meet the same standards their own product offerings do.

So: By your own admission, Google is doing the *right* thing but currently too cheap. All the other companies you refer to are doing the *wrong* thing by not paying anything at all. But you're shitting on Google.
No wonder nearly all your posts in this thread are modded troll. You just come across like a (rather poor quality) anti-google shill.
You used to produce some decent posts. What happened? A cheque from MS?

Re:No.

Oh yeah, and you never addressed the fact that Google is even paying bounties for fixes/security enhancements to *software they don't even use in their offerings*. But I suppose that's not good enough for you either.

Re:No.

When a company donates money to a charity it is done for two reasons:

1. tax break
2. publicity
3. No other reason

Now unless the person submitting the bug is part of a non-profit, your point is a strawman.

I hope some cash goes toward the actual projects

Bugs in OpenSSH and BIND are often discovered by OpenBSD during some Hackathons so I'd hope that their giving regular donations to the appropriate projects.

Why not have in house staff or pay an 3rd party

[Joe_Dragon]

Why not have in house staff or pay an 3rd party to do stuff like this full time and not an system that can lead to Dev's coding them self's (or people they know) minivans?

http://dilbert.com/strips/comic/1995-11-13/

Re:Why not have in house staff or pay an 3rd party

Some reasons to run a bug bounty program over just paying staff full time.

1) Finding bugs is something that parallelises well. Staff could spend hours looking through code that may or may not have any bugs in the first place. Finding them can be harder than fixing them once they are found. "given enough eyeballs, all bugs are shallow" so an incentive for many people to look could be worth more than paying a few staff.

2) Assuming someone (not paid to) finds a bug, they have a choice, sell it on the black market (just think how much a serious OpenSSH vulnerability would be worth) or report it privately. Sure it's not as much as the black market might pay but it's helping people who report them privately.

3) I see bug bounties like a bonus, not something that can necessary be used for regular income.

What if the morons at OpenSSL don't incorporate th

I found an issue with OpenSSL in X64 relating to alignment. If one reads intel's software developers manual it pretty much states in bold print:
THOU SHALT ALIGN 16!
Yet, they decided they knew better, and had pointers aligned by 4. One such section was in the pointers for functions that are run at DLL Load time in Windows. This caused the program to crash with an access violation reading some very odd 64 bit addresses. It was clear upon inspection that the pointers were correct, just misaligned causing the lower 16 bits to be read as the upper 48 bits.

Instead of happily replying thank you for reporting the issue, the moron accused me of misconfiguring openSSL, and demanded config files, and generally berated me as being some kind of idiot. I'm not really sure how Intel could have made things more clear than THOU SHALT ALIGN 16. If I worked for intel, I might add an addendum to read THOU SHALT NOT ALIGN 4 LIKE THE OPENSSL MAINTAINERS THINK IS OK.

In the end, they begrudgingly had already made the change after a previous bug report of a similar, but unassociated nature had shown this to be wrong, but they insisted that the reporter there was also a moron. I can easily see a case where their egos now will make things less secure when patches are submitted to patch critical vulnerabilities, and the maintainers deny it claiming it to be a configuration issue, allowing malware authors to troll the patch database for vulnerabilities.

It is just QA cost saving

But, just the other day I was told these bug bounties were "miserable" pay and were used to only lower a companies costs... Come on.

Wrong Approach

[imlepid]

We don't need "software updates that improve the security of OpenSSL", we need a whole new protocol.

If you really want to be helpful, Google, provide support and coordinate a competition to create a new SSL protocol, à la AES and SHA-3. Then we could make progress towards truly better security.

Re:Wrong Approach

[Lennie]

I get the impression that the crypto people don't yet know what they want.

Re:Wrong Approach

[imlepid]

Yes, I think that's true, but competitions will help focus minds. Most competitions will last a few years, including a period of laying out the requirements.

I envision a new protocol to replace 3 remote security functions: SSL/TLS, IPSec, and SSH. I think SSH is the most secure of the three of those today but they could all three use a rethink.

The ultimate goal, though, is not to do this as a separate project but as a unified community effort like the NIST competitions (see Standards).

Re:Wrong Approach

[Lennie]

My guess is SSH is in good shape because it gets the most updates.

That really in the long run is the best grantee for security. Keeping systems, software and crypto up to date.

Re:What if the morons at OpenSSL don't incorporate

[ifiwereasculptor]

Well, did you send the config files?

Re:What if the morons at OpenSSL don't incorporate

As a general rule: Ignorance is bliss. Yeah, I would have flamed that meme just a few years ago, but being about 40 and somewhat wiser, I start to support it. Or should I say "you better don't know how they make sausage" ?

If we really wanted to have secure code, we would certainly NOT use C-style code (that includes a boatload of C++ code which heavily uses C idioms such as "who cares about bounds-checking or automatic reference counting ?".

You know what ? The government (AT&T) created a language whose follow-on effects they now use for their "Cyber War Domain" thing. As always with the American government - "if there is not enough war, make yourself one".

Re:What if the morons at OpenSSL don't incorporate

[Sqr(twg)]

Exactly. As a software developer, I often get bug reports. My standard reply is to ask for the (equivalent of) config files, because 99 % of the time, it is not a bug, but user error. In those cases, I can find the error in the user's files in far less time than it would take me to go bug-hunting in the project code.
Conversely, when I submit bug-reports myself, I try to make a minimal case. If I can reproduce the bug with a fresh installation and default configuration, then I say so in the report.

Why not pay the OpenSSH project, Google?

[undeadbill]

From the OpenSSH FAQ- http://openssh.org/donations.html
"OpenSSH has no wealthy sponsors, nor a business model. In fact, no Commercial Unix or Linux vendor has ever given our project a cent. Naturally, the OpenSSH project requires funds to operate -- particularly so that our team members can meet in person once in a while (at OpenBSD hackathons) to design new ideas."

From the OpenSSH Security page- If you wish to report a security issue in OpenSSH, please contact the private developers list openssh@openssh.com.

A way of ensuring that bugs are proactively found in essential projects like this *isn't* to muddy the development process by establishing a separate security reporting structure, it is to fully fund the one that already exists and works very well. Google rakes in BILLIONS and can't annually fund one developer's worth of money to a project like OpenSSH as a tax deductible donation or written off as R&D? Really?

Re:Why not pay the OpenSSH project, Google?

DNRTFA; comment about "a separate security reporting structure" anyways!

Code fixes should be submitted directly to the maintainers of the individual projects. Once the patch is accepted and merged into the repository, submitters should e-mail the details to security-patches@google.com. "If we think that the submission has a demonstrable, positive impact on the security of the project, you will qualify for a reward ranging from $500 to $3,113.70," Zalewski said.

PS:

Q: I’m a core developer working on one of the in-scope projects. Do my own patches qualify?
  A: Most certainly!

PPS:

The people and organizations who have contributed money, equipment, or services to OpenSSH are not kept separate, but are combined with the list of people who have donated to all OpenBSD projects. That list can be found at the main OpenBSD donation page.

If you'd care to search for "Google" on that page, you'd see it's already there in list of donors.

Re:Why not pay the OpenSSH project, Google?

It is up to them how they set their bounties or not. You can get paid from some other source.

Re:Why not pay the OpenSSH project, Google?

Google rakes in BILLIONS and can't annually fund one developer's worth of money to a project like OpenSSH as a tax deductible donation or written off as R&D? Really?

Um, for one, Google's listed on the OpenBSD donors page: http://www.openbsd.org/donations.html#people. Second, Google employs Damien Miller, who is one of the lead OpenSSH developers. Google employs a bunch of other OpenBSD developers too.

Re:Why not pay the OpenSSH project, Google?

[undeadbill]

Ok, I stand corrected then. Somebody, please take away my mod points!

Whitehat ? Blackhat ? Nope, greenhat.

[Lennie]

That is basically what Moxie Marlinspike said. It's mostly greenhats. Green for money.

Google is desperate

[surfslasher]

So this is how desperate Google has gotten? Instead of hiring someone they are giving them a one time gift. hehe...

Re:Google is desperate

That darn healthcare bill strikes again.....

Defect and earn

[Mister+Liberty]

Good. I hope this attracts a few NSA workers.

Re:I hope some cash goes toward the actual project

[skids]

They allow core developers to claim credit for their work. Note that this is for a bug report with patch, and the patch is expected to be more a systemic fix that is of high enough quality to be part of the codebase going forward than a workaround. If the hackathon produces such code and shepards it through the upstream pull request process, then the organization might try to see if Google would cut them a check instead of an individual developer. However, that pull process often takes a few days.

Why bother?

[WillAffleckUW]

Why bother - the NSA will just backdoor it anyway and there will be an even wider door left open.

BIND, almost the last major pre-database program

[Animats]

BIND suffers from the fact that it's a database program without a real database inside. It dates from the days before UNIX/Linux had database programs. Almost the only other major UNIX/Linux program with that problem is Sendmail, which should have died decades ago. (QMail should have replaced Sendmail, but the author does not promote it well. He does, however, offer a $500 reward for anyone finding a security bug. That's been offered since 1997, with no takers.)

Paid?

No one needs to be paid to find security flaws in Windows 8. Windows 8 IS a security flaw.

Re:Paid?

Which is why we have 8.1..... No flaws there.... Wait.... It can't be!

Mod this up

[Sits]

Additionally isn't Google a Linux vendor these days? Seems a bit disingenuous to still say

no Commercial Unix or Linux vendor has ever given our project [openssh] a cent

While they're at it

[ALeader71]

Could they fix the on-going problems with the Intel chipsets that now inhabit nearly every laptop sold? How about the Ralink WiFi chipsets that can't maintain a reliable connection?

Oh and the touchpad drivers -- I should be able to automatically shut the thing down when I plug in my external mouse.

Re:BIND, almost the last major pre-database progra

[MikeBabcock]

BIND suffers from the delusions of those who wrote it.

No matter how you feel about the programmers involved though, spend ten minutes configuring and using tinydns and then BIND and ask yourself why anyone uses BIND.

Re:BIND, almost the last major pre-database progra

Regarding qmail not having any security flaws, and there being no takers on the $500, that is not strictly true:

http://www.jcb-sc.com/qmail/guninski.html

djb has refused to give the $500, but that is merely another symptom of his Jupiter-sized ego distorting reality.

Re:BIND, almost the last major pre-database progra

You are wrong in so many ways, it is really sad.

Having a database backend can often result in a slower program, and provides another attack surface; ie the opposite of more secure.

One of the first database programs for UNIX was written in 1979 by Ken Thompson - try looking up "dbm". (Which obviously predates both BIND and Sendmail.) dbm's descendants are still in use by Linux, UNIX, and major programming languages (e.g. perl, python) should a developer wish to use a simple database rather than text file, although there are distinct advantages to text - see ESR's The Art of Unix Programming.

You might look up the Dunning–Kruger effect also....