Google will expand its bounty program by adding awards for fixing vulnerabilities in open source code software, not necessarily in its own product.
The company started rewarding developers for providing fixes for flaws in Google’s software in 2010, when introducing Bounty Program for Chrome web browser. Today Google is reported to be ready to pay for other vendors’ products.
Trying to explain the scope and requirements for fixes, an IT-specialist Michal Zalewski wrote in a blog: “We decided to try something new: provide financial incentives for down-to-earth, proactive improvements that go beyond merely fixing a known security bug. Whether you want to switch to a more secure allocator, to add privilege separation, to clean up a bunch of sketchy calls to strcat(), or even just to enable ASLR - we want to help!”
Initially, the program will only be active for certain open-source projects, such as the OpenSSL and OpenSSH secure communications libraries, the BIND DNS software, and security-critical components of the Linux kernel. Then Google will expand the scope of the projects and include Apache web server, email servers Sendmail, Postfix and Exim, as well as tools for software development GNU.
According to Zalewski, the company chose a selective approach, as it believes that it will be more productive than rewarding for detecting flaws in old open source codes.
The expert recommends reviewing the documents that provide additional information on eligibility, requirements, and other important stuff.