Slashdot Mirror
Google Offers Cash For Security Fixes To Linux and Other FOSS Projects
jrepin writes "Google is offering rewards as high as $3,133.70 for software updates that improve the security of OpenSSL, OpenSSH, BIND, and several other open-source packages that are critical to the stability of the Internet. The program announced Wednesday expands on Google's current bug-bounty program, which pays from $500 to $3,133.70 to people who privately report bugs found in the company's software and Web properties." Google isn't the only company that sees the value in rewarding those who find security problems: Microsoft just paid British hacker James Forshaw $100,000 for finding a serious security flaw in Windows 8.1.
They could keep the theme and just add some zeros.
THey could just not bother at all. is there anyone else offering bug bounties on software they didn't even write to begin with? Anyone?
3133.7 x 10 to the power of ___?
The NSA does.
Why not have in house staff or pay an 3rd party to do stuff like this full time and not an system that can lead to Dev's coding them self's (or people they know) minivans?
http://dilbert.com/strips/comic/1995-11-13/
They aren't asking people to fix THEIR software.
OpenSSL is free open source library, not maintained by Google.
OpenHHS is free open source library, not maintained by Google
BIND is free open source... oh you get the picture.
They are asking people to open libraries that everyone is using. OpenSSL is library used to proved encryption for HTTPS requests, emails sent over TLS, etc. OpenSSH is what almost all ssh servers and clients use to securely login and encrypt communication end to end.
The motivation for fixing these is the fact that your internet access to your bank account depends on it. Google is just sweetening the pot. Selling exploits in these libraries would be the same as selling the bank account of almost every American.
This is a publicity move based on the disclosure of PRISM. The back doors in OpenSSH and OpenSSL were baked in on purpose by NSA. This was disclosed in the Snowden documents. Google wants these to be patched, and wants people to see that they helped get them patched, but because of PRISM, Google wouldn't be trusted to submit code upstream. This is an attempt at spreading "we care about the community" not their typical "we're paying people peanuts for fixing out software."
Keep in mind that this is open-source software. Most people fix these for free right now. This this throws a bit of incentive out there for people to look a little more actively. For their own closed products products like Chrome though, yeah, the amounts are way too low. Still, I think they should get a little credit for offering money for stuff that benefits us all (including them of course).
What is your conscience worth to you?
Researchers have been responsibly reporting vulnerabilities for decades, usually out of an altruistic desire to make the world a little safer. The extra cash is just a token of appreciation, not a work-for-hire deal. Heck, a lot of researchers are already getting paid on salary to do the work that leads them to the bugs.
You do not have a moral or legal right to do absolutely anything you want.
Okay Google, that's just not nice.
Google paying people for finding bugs in software that Google didn't produce isn't nice? Who else does that?
Tic-Tac-Toe, Global Thermonuclear War, and relationships all have the same winning move.
I was going to say criminals but now its partially redundant.
"I opened my eyes, and everything went dark again"
Well, did you send the config files?
This, a thousand times.
OP just sounded like, "Fuck you, I'm using my skills for extortion!"
Anyway, a criminal would sell the flaw to every market. So it makes absolute sense not to start an arms race with the mafia.
... or they'd write it themselves and release it as open-source. They've done it with other tools, and even a mobile operating system. Every other tech company in the world is using these same infrastructure technologies as Google and you're ranting at the one company that is paying at least something, albeit not really enough. I think you're outrage is a little misdirected.
Google isn't hiring people to actually look at the code and submit changes if problems were found
And your evidence for that is... what, exactly? They have a bug bounty program (and of course this new program, which has nothing to do with bugs or security holes at all, so technically this whole thread is quite offtopic, but anyways). That does not mean they don't also have internal testers. The idea that they don't is entirely inside your head (unless you have some pretty compelling evidence Google hires no software testers, which would be... well, pretty fucking astonishing if actually true).
A bug bounty program exists because in complex software some bugs will always (always) slip through, no matter if you paid thousands of testers for thousands of hours to test it. By having an external program, you basically end up with millions of (extra) testers. Untrained ones, who will probably catch one-thousandth the bugs your primary testers do (especially because the glaring ones are usually fixed long before the public sees the program), but extra testers nevertheless.
Anyways, actually relevant to the story: this new program is Google paying people who add security features to existing FOSS projects. You know, like the developers of that software already do for free (well, some of them do anyways, quite a few of the features are added by developers paid to work on some project or another). Only now, they can earn a little extra money on the side for it (which they couldn't even do selling "exploits" because they aren't finding exploits, they're adding extra security features). The story is that Google is giving people money to make the Internet as a whole more secure (or in other words paying people not to fix problems in Google's code, but to make non-Google software better in general).
"None can love freedom heartily, but good men; the rest love not freedom, but license." --John Milton
Okay Google, that's just not nice. That's a slap in the face. So I'm not gonna be nice in my reply to you either. Everyone -- if you have a security vulnerability in a google product; Sell it on the black market. You can easily get a hundred grand for a popular product.
Reminds me of the referral bonus they offered at a place I worked a while ago. The bonus was $500. However they were willing to pay $25,000 to a head hunter for the same service. Needless to say, not many people bothered to take them up on it.
The only thing worse than a Democrat is a Republican.
From the OpenSSH FAQ- http://openssh.org/donations.html
"OpenSSH has no wealthy sponsors, nor a business model. In fact, no Commercial Unix or Linux vendor has ever given our project a cent. Naturally, the OpenSSH project requires funds to operate -- particularly so that our team members can meet in person once in a while (at OpenBSD hackathons) to design new ideas."
From the OpenSSH Security page- If you wish to report a security issue in OpenSSH, please contact the private developers list openssh@openssh.com.
A way of ensuring that bugs are proactively found in essential projects like this *isn't* to muddy the development process by establishing a separate security reporting structure, it is to fully fund the one that already exists and works very well. Google rakes in BILLIONS and can't annually fund one developer's worth of money to a project like OpenSSH as a tax deductible donation or written off as R&D? Really?
Yes, I think that's true, but competitions will help focus minds. Most competitions will last a few years, including a period of laying out the requirements.
I envision a new protocol to replace 3 remote security functions: SSL/TLS, IPSec, and SSH. I think SSH is the most secure of the three of those today but they could all three use a rethink.
The ultimate goal, though, is not to do this as a separate project but as a unified community effort like the NIST competitions (see Standards).