Google Offers Cash For Security Fixes To Linux and Other FOSS Projects

jrepin writes "Google is offering rewards as high as $3,133.70 for software updates that improve the security of OpenSSL, OpenSSH, BIND, and several other open-source packages that are critical to the stability of the Internet. The program announced Wednesday expands on Google's current bug-bounty program, which pays from $500 to $3,133.70 to people who privately report bugs found in the company's software and Web properties." Google isn't the only company that sees the value in rewarding those who find security problems: Microsoft just paid British hacker James Forshaw $100,000 for finding a serious security flaw in Windows 8.1.

Re:No.

They aren't asking people to fix THEIR software.

OpenSSL is free open source library, not maintained by Google.
OpenHHS is free open source library, not maintained by Google
BIND is free open source... oh you get the picture.

They are asking people to open libraries that everyone is using. OpenSSL is library used to proved encryption for HTTPS requests, emails sent over TLS, etc. OpenSSH is what almost all ssh servers and clients use to securely login and encrypt communication end to end.

The motivation for fixing these is the fact that your internet access to your bank account depends on it. Google is just sweetening the pot. Selling exploits in these libraries would be the same as selling the bank account of almost every American.

This is a publicity move based on the disclosure of PRISM. The back doors in OpenSSH and OpenSSL were baked in on purpose by NSA. This was disclosed in the Snowden documents. Google wants these to be patched, and wants people to see that they helped get them patched, but because of PRISM, Google wouldn't be trusted to submit code upstream. This is an attempt at spreading "we care about the community" not their typical "we're paying people peanuts for fixing out software."