Slashdot Mirror
Google Offers Cash For Security Fixes To Linux and Other FOSS Projects
jrepin writes "Google is offering rewards as high as $3,133.70 for software updates that improve the security of OpenSSL, OpenSSH, BIND, and several other open-source packages that are critical to the stability of the Internet. The program announced Wednesday expands on Google's current bug-bounty program, which pays from $500 to $3,133.70 to people who privately report bugs found in the company's software and Web properties." Google isn't the only company that sees the value in rewarding those who find security problems: Microsoft just paid British hacker James Forshaw $100,000 for finding a serious security flaw in Windows 8.1.
THey could just not bother at all. is there anyone else offering bug bounties on software they didn't even write to begin with? Anyone?
They aren't asking people to fix THEIR software.
OpenSSL is free open source library, not maintained by Google.
OpenHHS is free open source library, not maintained by Google
BIND is free open source... oh you get the picture.
They are asking people to open libraries that everyone is using. OpenSSL is library used to proved encryption for HTTPS requests, emails sent over TLS, etc. OpenSSH is what almost all ssh servers and clients use to securely login and encrypt communication end to end.
The motivation for fixing these is the fact that your internet access to your bank account depends on it. Google is just sweetening the pot. Selling exploits in these libraries would be the same as selling the bank account of almost every American.
This is a publicity move based on the disclosure of PRISM. The back doors in OpenSSH and OpenSSL were baked in on purpose by NSA. This was disclosed in the Snowden documents. Google wants these to be patched, and wants people to see that they helped get them patched, but because of PRISM, Google wouldn't be trusted to submit code upstream. This is an attempt at spreading "we care about the community" not their typical "we're paying people peanuts for fixing out software."
Keep in mind that this is open-source software. Most people fix these for free right now. This this throws a bit of incentive out there for people to look a little more actively. For their own closed products products like Chrome though, yeah, the amounts are way too low. Still, I think they should get a little credit for offering money for stuff that benefits us all (including them of course).
What is your conscience worth to you?
Researchers have been responsibly reporting vulnerabilities for decades, usually out of an altruistic desire to make the world a little safer. The extra cash is just a token of appreciation, not a work-for-hire deal. Heck, a lot of researchers are already getting paid on salary to do the work that leads them to the bugs.
You do not have a moral or legal right to do absolutely anything you want.
Okay Google, that's just not nice.
Google paying people for finding bugs in software that Google didn't produce isn't nice? Who else does that?
Tic-Tac-Toe, Global Thermonuclear War, and relationships all have the same winning move.
I was going to say criminals but now its partially redundant.
"I opened my eyes, and everything went dark again"