Google expands bug bounty program to include open source software

Share this article:
Federal watchdog says SEC security issues put financial data at risk
Federal watchdog says SEC security issues put financial data at risk

Internet technology company Google is adding bugs in open source software (OSS) to its vulnerability reward program, effectively expanding the bug bounty project that has been ongoing since November 2010.

In its initial run, Google will be offering vulnerability rewards ranging from $500 to $3,133.70 for core infrastructure network services, including OpenSSH, BIND, ISC DHCP; and core infrastructure image parsers, including libjpeg, libjpeg-turbo, libpng, giflib, according to a post by Michal Zalewski, a Google security team member.

Bug hunters will also receive vulnerability rewards for open-source foundations of Google Chrome, such as Chromium and Blink; other high-impact libraries, including OpenSSL and zlib; and security-critical and commonly used components of the Linux kernel, including Kernel-based Virtual Machine, according to the Zalewski post.

“So we decided to try something new: provide financial incentives for down-to-earth, proactive improvements that go beyond merely fixing a known security bug,” Zalewski said. “Whether you want to switch to a more secure allocator, to add privilege separation, to clean up a bunch of sketchy calls to strcat(), or even just to enable ASLR  – we want to help!”

In the future, Google is hoping to expand the OSS bug bounty program to web servers, including Apache httpd, lighttpd and nginx; SMTP services, including Sendmail, Postfix and Exim; toolchain security improvements for GCC, binutils and llvm; and OpenVPN, Zalewski said in the post.

“We're excited about this new effort, which complements and extends our long-running vulnerability reward programs for Google web applications and for Google Chrome,” a Google spokesperson told SCMagazine.com on Thursday.

Not everyone is convinced vulnerability reward programs mitigate threats entirely. Aviram Jenik, CEO of vulnerability assessment company Beyond Security, told SCMagazine.com on Thursday that his personal experiences with Google's bug bounty program have been “not stellar.”

“Interesting thought: Anyone who sells a weaponized vulnerability to the highest bidder and does it anonymously could possibly also sell the solution to Google,” Brian Pearce, COO of Beyond Security, told SCMagazine.com on Thursday.

[An earlier version of this story incorrectly stated that Brian Pearce is COO of Beyond Trust].  

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

CryptoWall surpasses CryptoLocker in infection rates

CryptoWall surpasses CryptoLocker in infection rates

A threat analysis from Dell SecureWorks CTU says that CryptoWall has picked up where its famous sibling left off.

Professor says Google search, not hacking, yielded medical info

Professor says Google search, not hacking, yielded medical ...

A professor of ethical hacking at City College San Francisco came forward to clarify that he did not demonstrate hacking a medical center's server in a class.

Syrian Malware Team makes use of enhanced BlackWorm RAT

Syrian Malware Team makes use of enhanced BlackWorm ...

FireEye analyzed the hacking group's use of the malware, dubbed the "Dark Edition" of BlackWorm.