Sergey Nivens - Fotolia

NCC Group launches bounty for open source security flaw fixes

Firm hopes bounty scheme will inspire others to do the same to encourage security specialists to make open source software more secure

Information assurance firm NCC Group has introduced an in-house security fix bounty scheme that rewards its consultants for fixing vulnerabilities in open source software.

Unlike traditional bug bounty programmes that reward individuals who identify security vulnerabilities in software, the Fix Bounty scheme focuses on workable fixes to vulnerabilities in software.

By looking solely at open source software, NCC aims to facilitate increased security assurance in that software, which might be under-resourced in terms of security expertise and scrutiny.

The firm’s security consultants receive points for each security fix they provide that is accepted by the project’s maintainer(s) and eventually merged into the master project.

No points are awarded for vulnerabilities identified without an accepted fix, but NCC said it would still follow responsible disclosure and provide the vulnerability detail to the affected project.

The number of points received depends on how popular the open source component is on the GitHub platform, which is where the Fix Bounty scheme will focus initially. Currently, points are calculated using the formula (GitHub stars/10,000) * forks.

The assumption is that those projects that are more popular are likely to be more prevalent, and so fixing vulnerabilities in popular open source projects is more likely to have a material impact on software security globally.

Points are tallied on a rolling basis, with a range of rewards up for grabs for those at the top of the charts. Currently, there is a “fix of the year” award and a tech-related prize of choice to the value of £500 for anyone reaching 10 million points.

Read more about responsible disclosure

Depending on the popularity and uptake of the scheme, NCC said it may look to introduce additional awards of differing value for different achievements and points accumulation.

“We have got some of the most talented consultants in the security industry and this scheme gives them a platform to improve software security, give back to the open source community and be rewarded for their efforts,” said Matt Lewis, research director at NCC Group.

“In the spirit of collaboration, we urge others in the industry to take this model and copy or evolve it further. The more resource we have identifying and fixing open source code vulnerabilities, the better.”

Lewis said NCC Group welcomed conversations with anyone interested in learning more about its Fix Bounty.

Asked whether employees are allowed to work on finding bugs and developing fixes during office hours, he said they are allowed to do so if they are not assigned to a client or internal project work. “They can also choose to work in teams if they wish, agreeing to share between them any points won,” said Lewis.

Read more on Application security and coding requirements