The Search giant engine Google on October 9, 2013 announced a new, experimental program that rewards proactive security improvements to select Open-source projects.This effort complements and focuses on their long-running vulnerability reward programs for Google web applications and for the new Google Chrome OS.The Official announcement on the Google’s Blog reads:
We all benefit from the amazing volunteer work done by the open source community. That’s why we keep asking ourselves how to take the model pioneered with our Vulnerability Reward Program – and employ it to improve the security of key third-party software critical to the health of the entire Internet
As per Google, announcing only a bug-hunting program for the developers won’t generate specific volume of traffic for them and also could possibly backfire it for them.So,Google will now reward the Developer who not only finds a bug but also patch it to Google’s Security Team.
What Programs are included in Patch Reward Program?
- All the open-source components of Android: Android Open Source Project.(New addition)
- Widely used Web servers: Apache httpd, lighttpd, nginx.
- Popular mail delivery services: Sendmail, Postfix, Exim, Dovecot.
- Virtual private networking: OpenVPN.
- Network time: University of Delaware NTPD.
- Additional core libraries: Mozilla NSS, libxml2.
- Toolchain security improvements for GCC, binutils, and llvm.
These additions join the following five project types with which Google launched its program in October:
- Core infrastructure network services: OpenSSH, BIND, ISC DHCP.
- Core infrastructure image parsers: libjpeg, libjpeg-turbo, libpng, giflib.
- Open-source foundations of Google Chrome: Chromium Project, Blink.
- Other libraries: OpenSSL, zlib.
- Security-critical, commonly used components of the Linux kernel (including KVM).
What type of Submission are subjected to Qualifying ?
Any patch that has a demonstrable, significant, and proactive impact on the security of one of the in-scope projects will be considered for a reward
- Improvements to privilege separation,
- Memory allocator hardening,
- Cleanups of integer arithmetics,
- Systematic fixes for various types of race conditions,
- Elimination of error-prone design patterns or library calls
How to Submit my project?
You need to first find a bug and then directly submit the patch to the maintainers of the project who work for Google.You must then co-ordinate with them to have it accepted into the repository and incorporated it into shipping of the program and submit your entry to firstname.lastname@example.org.
As per Google,the need for shipping the patch has 2 reasons:
Minimize the Burden of the maintainers and ensure high-quality code
Also,a patch that never ships simply doesn’t help much to Google 🙂
Why won’t Google Reward me for only finding the Bugs?
Well Google believes that only finding the bugs won’t help them to improve security but finding the solution or a patch for it will surely help them to improve security towards their applications and projects.Also,If you feel insecure that your work can be misused, Google also allows you to submit it privately to the Security team
How much will I earn ?
Rewards for qualifying submissions will range from $500 to $3,133.7(Never got to know why that 70 cents extra) still the final amount will always be chosen at the discretion of the reward panel and is based on our judgment of the complexity and impact of the patch.(So don’t irritate the security team)
Is it for the First time Google has Started this?
No,Google is working on this type of Bug hunting since time and many people have managed to earn Thousand of Dollars from it.The Very famous of them being Pinkie Pie who managed to Earn $60,000 last year and another 40,000 this year..Isn’t it Great ?
Is Google Only company to do this ?
- No,Microsoft’s Mitigation Bypass and Blue Hat defense is also one of them who run similar bug hunting program
- Even Facebook reward for finding a bug or exploit to Facebook security in Facebook Security Program
- One awesome thing about this is that even a Google Security team Member and one of the Panel of Patch Reward program Ivan Fractic actually participated in Microsoft bug hunting for a bug in IE 11 and was rewarded for it in October,2013
What this mean to Google and why are they doing this?
Google just wants to improve the security of its applications which they fear of losing it to potential attackers and also remove the additional 3rd party apps support to avoid unofficial app support like the iMessage got it for Android.They also feels that Open Source will appeal more to developers if Contributors to Open source themselves can help Google finding the faults in the system also they feel sometimes the bug can be avoided by improved coding techniques and avoiding bad calling functions in the programs, which can also avoid exploits for a system
Who is benefited Google or Developers ?
- In a way, Google benefits the most as they can improve their code by simple help from developers who help develop Open Source projects
- Developers can earn quite a small amount in turn by giving out their precious time to Google
- Customer who use Google Services in day-to-day life will now possibly have better Security for all their online stored data
So, in turn everyone is benefited from this