Forgot your password?
typodupeerror
Google Open Source Security Software The Almighty Buck Linux

Google Offers Cash For Security Fixes To Linux and Other FOSS Projects 94

Posted by timothy
from the enlightened-self-interest dept.
jrepin writes "Google is offering rewards as high as $3,133.70 for software updates that improve the security of OpenSSL, OpenSSH, BIND, and several other open-source packages that are critical to the stability of the Internet. The program announced Wednesday expands on Google's current bug-bounty program, which pays from $500 to $3,133.70 to people who privately report bugs found in the company's software and Web properties." Google isn't the only company that sees the value in rewarding those who find security problems: Microsoft just paid British hacker James Forshaw $100,000 for finding a serious security flaw in Windows 8.1.
This discussion has been archived. No new comments can be posted.

Google Offers Cash For Security Fixes To Linux and Other FOSS Projects

Comments Filter:
  • Re:No. (Score:5, Informative)

    by oodaloop (1229816) on Thursday October 10, 2013 @12:41PM (#45093199)

    Okay Google, that's just not nice.

    Google paying people for finding bugs in software that Google didn't produce isn't nice? Who else does that?

  • by Anonymous Coward on Thursday October 10, 2013 @01:52PM (#45094053)

    DNRTFA; comment about "a separate security reporting structure" anyways!

    Code fixes should be submitted directly to the maintainers of the individual projects. Once the patch is accepted and merged into the repository, submitters should e-mail the details to security-patches@google.com. "If we think that the submission has a demonstrable, positive impact on the security of the project, you will qualify for a reward ranging from $500 to $3,113.70," Zalewski said.

    PS:

    Q: I’m a core developer working on one of the in-scope projects. Do my own patches qualify?
      A: Most certainly!

    PPS:

    The people and organizations who have contributed money, equipment, or services to OpenSSH are not kept separate, but are combined with the list of people who have donated to all OpenBSD projects. That list can be found at the main OpenBSD donation page.

    If you'd care to search for "Google" on that page, you'd see it's already there in list of donors.

  • by Anonymous Coward on Thursday October 10, 2013 @03:32PM (#45095211)

    Google rakes in BILLIONS and can't annually fund one developer's worth of money to a project like OpenSSH as a tax deductible donation or written off as R&D? Really?

    Um, for one, Google's listed on the OpenBSD donors page: http://www.openbsd.org/donations.html#people. Second, Google employs Damien Miller, who is one of the lead OpenSSH developers. Google employs a bunch of other OpenBSD developers too.

Make headway at work. Continue to let things deteriorate at home.

Working...