Google Offers Cash For Security Fixes To Linux and Other FOSS Projects 94
jrepin writes "Google is offering rewards as high as $3,133.70 for software updates that improve the security of OpenSSL, OpenSSH, BIND, and several other open-source packages that are critical to the stability of the Internet. The program announced Wednesday expands on Google's current bug-bounty program, which pays from $500 to $3,133.70 to people who privately report bugs found in the company's software and Web properties." Google isn't the only company that sees the value in rewarding those who find security problems: Microsoft just paid British hacker James Forshaw $100,000 for finding a serious security flaw in Windows 8.1.
Re:No. (Score:4, Insightful)
They could keep the theme and just add some zeros.
Re: (Score:2, Interesting)
3133.7 x 10 to the power of ___?
Re:No. (Score:5, Insightful)
Keep in mind that this is open-source software. Most people fix these for free right now. This this throws a bit of incentive out there for people to look a little more actively. For their own closed products products like Chrome though, yeah, the amounts are way too low. Still, I think they should get a little credit for offering money for stuff that benefits us all (including them of course).
Re: (Score:3)
... or they'd write it themselves and release it as open-source. They've done it with other tools, and even a mobile operating system. Every other tech company in the world is using these same infrastructure technologies as Google and you're ranting at the one company that is paying at least something, albeit not really enough. I think you're outrage is a little misdirected.
Re: (Score:2)
BIND is developed by isc.org. They're entirely funded by donations.
The complete re-write that is BIND 9 was entirely funded by a group of companies, the likes of Sun and IBM and others. Of course this happened before Google existed.
Re: (Score:1)
So, all the big companies that use all those projects - yeah, girl, these are used by most big IT companies out there - and are paying 0 (zero, zilch, no) dollars to the volunteers - do those get negative credits then, or what?
Re: (Score:2)
Should Google fire the OpenSSH developers they employ (Like this guy [mindrot.org])? Should they stop donating to OpenBSD as shown here [openbsd.org]?
Re: (Score:2)
Your tagline has it wrong, you just are a troll. Your post contains no usable argument points whatsoever.
One's income has no bearing on the good one does.
Re: (Score:2)
How many exploits do they have to find as "security researchers" in order to make six figures? You really think those companies that hire them pay six figures for just one (apparently, since you called a 5-digit payout per exploit "short of the mark"). That amount of money adds up quickly for those with the expertise, and they don't even have to be under Google's employ to earn it, meaning that their options are open and other companies won't balk from fixes and reports coming from a potential competitor,
Re: (Score:1)
Double facepalm.
So you mean to say it said anywhere "So, dudes, we're gonna fire all our developers and now we'll just pay you for patches, whatevs"?
So you mean to say all the other good companies are paying hand over fist for working on those? Apple uses OpenSSH since Mac OS X 10.0.1 and used OpenSSL until 10.7 - where does a volunteer apply to get money from Apple for working on it?
Some of those projects they intend to support aren't even probably used by Google - eg., they're going to pay for working on
Re: (Score:2)
I don't think; I know. They're a business. Their mission statement includes the requirement that they are for-profit. Which means if they're just throwing money away like this, they'd be in trouble with the SEC and their stockholders.
So when any for profit company makes a donation to a charity they'll get in trouble with the SEC?
What about all the money Google throws at Google Drive, Gmail and all those other free services? They make the company no direct money. Their income comes from advertising.
Every cent a company spends is not required to be directly translatable in to profit.
Re: (Score:2)
Google isn't hiring people to actually look at the code and submit changes if problems were found (either internally patched/unreleased, or publicly available; The license allows for either). That would be the truly responsible thing to do.
Maybe they plan on hiring people, but they're establishing the market wages for that job in advance.
Re: (Score:3)
Google isn't hiring people to actually look at the code and submit changes if problems were found
And your evidence for that is... what, exactly? They have a bug bounty program (and of course this new program, which has nothing to do with bugs or security holes at all, so technically this whole thread is quite offtopic, but anyways). That does not mean they don't also have internal testers. The idea that they don't is entirely inside your head (unless you have some pretty compelling evidence Google hires no software testers, which would be... well, pretty fucking astonishing if actually true).
A bug bou
Re: (Score:1)
And your evidence for that is... what, exactly?
The lack of job postings was a clue.
They have a bug bounty program...
Yes, one that's almost painfully cheap.
some bugs will always (always) slip through, no matter if
You're using the Nirvana Fallacy [wikipedia.org]. Just because some bugs will slip through is not an excuse not to take due diligence in preventing them. And what Google is doing is not due diligence.
Untrained ones, who will probably catch one-thousandth the bugs your primary testers do
Which just goes to my original point: Giving financial support to the developers and maintainers of the product would be both (a) an actual contribution towards creating a reliable product, and (b) be significantly more effective.
this new program is Google paying people who add security features to existing FOSS projects.
You're confused. Bug fi
Re:No. (Score:5, Insightful)
Re: (Score:3)
Re:No. (Score:5, Funny)
I was going to say criminals but now its partially redundant.
Re:No. (Score:5, Insightful)
They aren't asking people to fix THEIR software.
OpenSSL is free open source library, not maintained by Google.
OpenHHS is free open source library, not maintained by Google
BIND is free open source... oh you get the picture.
They are asking people to open libraries that everyone is using. OpenSSL is library used to proved encryption for HTTPS requests, emails sent over TLS, etc. OpenSSH is what almost all ssh servers and clients use to securely login and encrypt communication end to end.
The motivation for fixing these is the fact that your internet access to your bank account depends on it. Google is just sweetening the pot. Selling exploits in these libraries would be the same as selling the bank account of almost every American.
This is a publicity move based on the disclosure of PRISM. The back doors in OpenSSH and OpenSSL were baked in on purpose by NSA. This was disclosed in the Snowden documents. Google wants these to be patched, and wants people to see that they helped get them patched, but because of PRISM, Google wouldn't be trusted to submit code upstream. This is an attempt at spreading "we care about the community" not their typical "we're paying people peanuts for fixing out software."
Re: (Score:1)
Who's Alexander? No, seriously.
Re: (Score:2)
Re:No. (Score:5, Insightful)
What is your conscience worth to you?
Researchers have been responsibly reporting vulnerabilities for decades, usually out of an altruistic desire to make the world a little safer. The extra cash is just a token of appreciation, not a work-for-hire deal. Heck, a lot of researchers are already getting paid on salary to do the work that leads them to the bugs.
Re:No. (Score:4, Insightful)
This, a thousand times.
OP just sounded like, "Fuck you, I'm using my skills for extortion!"
Anyway, a criminal would sell the flaw to every market. So it makes absolute sense not to start an arms race with the mafia.
Re:No. (Score:5, Informative)
Okay Google, that's just not nice.
Google paying people for finding bugs in software that Google didn't produce isn't nice? Who else does that?
Re: (Score:3)
Okay Google, that's just not nice. That's a slap in the face. So I'm not gonna be nice in my reply to you either. Everyone -- if you have a security vulnerability in a google product; Sell it on the black market. You can easily get a hundred grand for a popular product.
Reminds me of the referral bonus they offered at a place I worked a while ago. The bonus was $500. However they were willing to pay $25,000 to a head hunter for the same service. Needless to say, not many people bothered to take them up on it.
Re: (Score:2)
I hope some cash goes toward the actual projects (Score:1)
Bugs in OpenSSH and BIND are often discovered by OpenBSD during some Hackathons so I'd hope that their giving regular donations to the appropriate projects.
Re: (Score:2)
They allow core developers to claim credit for their work. Note that this is for a bug report with patch, and the patch is expected to be more a systemic fix that is of high enough quality to be part of the codebase going forward than a workaround. If the hackathon produces such code and shepards it through the upstream pull request process, then the organization might try to see if Google would cut them a check instead of an individual developer. However, that pull process often takes a few days.
Why not have in house staff or pay an 3rd party (Score:3)
Why not have in house staff or pay an 3rd party to do stuff like this full time and not an system that can lead to Dev's coding them self's (or people they know) minivans?
http://dilbert.com/strips/comic/1995-11-13/ [dilbert.com]
Re: (Score:3)
Well, did you send the config files?
Re: (Score:1)
Exactly. As a software developer, I often get bug reports. My standard reply is to ask for the (equivalent of) config files, because 99 % of the time, it is not a bug, but user error. In those cases, I can find the error in the user's files in far less time than it would take me to go bug-hunting in the project code.
Conversely, when I submit bug-reports myself, I try to make a minimal case. If I can reproduce the bug with a fresh installation and default configuration, then I say so in the report.
Wrong Approach (Score:2)
We don't need "software updates that improve the security of OpenSSL", we need a whole new protocol [cryptograp...eering.com].
If you really want to be helpful, Google, provide support and coordinate a competition to create a new SSL protocol, à la AES [wikipedia.org] and SHA-3 [nist.gov]. Then we could make progress towards truly better security.
Re: (Score:2)
I get the impression that the crypto people don't yet know what they want.
Re: (Score:3)
Yes, I think that's true, but competitions will help focus minds. Most competitions will last a few years, including a period of laying out the requirements.
I envision a new protocol to replace 3 remote security functions: SSL/TLS, IPSec, and SSH. I think SSH is the most secure of the three of those today but they could all three use a rethink.
The ultimate goal, though, is not to do this as a separate project but as a unified community effort like the NIST competitions (see Standards [xkcd.com]).
Re: (Score:2)
My guess is SSH is in good shape because it gets the most updates.
That really in the long run is the best grantee for security. Keeping systems, software and crypto up to date.
Why not pay the OpenSSH project, Google? (Score:4, Insightful)
From the OpenSSH FAQ- http://openssh.org/donations.html [openssh.org]
"OpenSSH has no wealthy sponsors, nor a business model. In fact, no Commercial Unix or Linux vendor has ever given our project a cent. Naturally, the OpenSSH project requires funds to operate -- particularly so that our team members can meet in person once in a while (at OpenBSD hackathons) to design new ideas."
From the OpenSSH Security page- If you wish to report a security issue in OpenSSH, please contact the private developers list openssh@openssh.com.
A way of ensuring that bugs are proactively found in essential projects like this *isn't* to muddy the development process by establishing a separate security reporting structure, it is to fully fund the one that already exists and works very well. Google rakes in BILLIONS and can't annually fund one developer's worth of money to a project like OpenSSH as a tax deductible donation or written off as R&D? Really?
Re: (Score:3, Informative)
DNRTFA; comment about "a separate security reporting structure" anyways!
Code fixes should be submitted directly to the maintainers of the individual projects. Once the patch is accepted and merged into the repository, submitters should e-mail the details to security-patches@google.com. "If we think that the submission has a demonstrable, positive impact on the security of the project, you will qualify for a reward ranging from $500 to $3,113.70," Zalewski said.
PS:
Q: I’m a core developer working on one of the in-scope projects. Do my own patches qualify?
A: Most certainly!
PPS:
The people and organizations who have contributed money, equipment, or services to OpenSSH are not kept separate, but are combined with the list of people who have donated to all OpenBSD projects. That list can be found at the main OpenBSD donation page.
If you'd care to search for "Google" on that page, you'd see it's already there in list of donors.
Re: (Score:2, Informative)
Um, for one, Google's listed on the OpenBSD donors page: http://www.openbsd.org/donations.html#people. Second, Google employs Damien Miller, who is one of the lead OpenSSH developers. Google employs a bunch of other OpenBSD developers too.
Mod this up (Score:2)
Additionally isn't Google a Linux vendor these days? Seems a bit disingenuous to still say
no Commercial Unix or Linux vendor has ever given our project [openssh] a cent [openssh.com]
Re: (Score:2)
Ok, I stand corrected then. Somebody, please take away my mod points!
Whitehat ? Blackhat ? Nope, greenhat. (Score:2)
That is basically what Moxie Marlinspike said. It's mostly greenhats. Green for money.
Defect and earn (Score:1)
Good. I hope this attracts a few NSA workers.
Why bother? (Score:1)
Why bother - the NSA will just backdoor it anyway and there will be an even wider door left open.
BIND, almost the last major pre-database program (Score:2)
BIND suffers from the fact that it's a database program without a real database inside. It dates from the days before UNIX/Linux had database programs. Almost the only other major UNIX/Linux program with that problem is Sendmail, which should have died decades ago. (QMail [cr.yp.to] should have replaced Sendmail, but the author does not promote it well. He does, however, offer a $500 reward for anyone finding a security bug. That's been offered since 1997, with no takers.)
Re: (Score:2)
BIND suffers from the delusions of those who wrote it.
No matter how you feel about the programmers involved though, spend ten minutes configuring and using tinydns and then BIND and ask yourself why anyone uses BIND.
While they're at it (Score:2)
Could they fix the on-going problems with the Intel chipsets that now inhabit nearly every laptop sold? How about the Ralink WiFi chipsets that can't maintain a reliable connection?
Oh and the touchpad drivers -- I should be able to automatically shut the thing down when I plug in my external mouse.