Google to reward open source security fixes

Google has announced plans to reward developers for proactive security improvements for select open source projects

Google has announced plans to reward developers for proactive security improvements for select open source projects.

Initially, these include core infrastructure network services such as OpenSSH, core infrastructure image parsers such as Libjpeg, open source foundations of Google Chrome, high-impact libraries such as OpenSSL and security-critical components of the Linux kernel.

The internet firm said the initiative aims to improve the security of key third-party software critical to the health of the internet.

Google said the reward scheme complements and extends its long-running vulnerability reward programmes for Google web applications and Google Chrome.

The new scheme offers rewards of between $500 and $3,000 for any patch that has “a demonstrable, significant, and proactive impact” on the security of one of the in-scope projects.

Adjudicators will be looking for things such as improvements to privilege separation, memory allocator hardening and the elimination of error-prone design patterns.

But Google said reactive patches that merely address a single, previously discovered vulnerability will not be eligible for rewards.

To qualify, patches must first be submitted directly to the maintainers of the project, and developers must work with them to have it accepted into the repository and incorporated into the program.

Google decided against creating a bounty programme for finding bugs in open source code because of fears of being overwhelmed by “spurious traffic”, said Michal Zalewski of Google's security team.

“We decided to try something new: provide financial incentives for down-to-earth, proactive improvements that go beyond merely fixing a known security bug,” he wrote in Google’s security blog.

Although Google has limited the scope of the qualifying open source project to begin with, the firm plans to extend the initiative to include web servers such as Apache, SMTP services such as Sendmail and virtual private network software such as OpenVPN.

Read more on Hackers and cybercrime prevention