Forgot your password?
typodupeerror
Google Open Source Security Software The Almighty Buck Linux

Google Offers Cash For Security Fixes To Linux and Other FOSS Projects 94

Posted by timothy
from the enlightened-self-interest dept.
jrepin writes "Google is offering rewards as high as $3,133.70 for software updates that improve the security of OpenSSL, OpenSSH, BIND, and several other open-source packages that are critical to the stability of the Internet. The program announced Wednesday expands on Google's current bug-bounty program, which pays from $500 to $3,133.70 to people who privately report bugs found in the company's software and Web properties." Google isn't the only company that sees the value in rewarding those who find security problems: Microsoft just paid British hacker James Forshaw $100,000 for finding a serious security flaw in Windows 8.1.
This discussion has been archived. No new comments can be posted.

Google Offers Cash For Security Fixes To Linux and Other FOSS Projects

Comments Filter:
  • Bugs in OpenSSH and BIND are often discovered by OpenBSD during some Hackathons so I'd hope that their giving regular donations to the appropriate projects.

    • by skids (119237)

      They allow core developers to claim credit for their work. Note that this is for a bug report with patch, and the patch is expected to be more a systemic fix that is of high enough quality to be part of the codebase going forward than a workaround. If the hackathon produces such code and shepards it through the upstream pull request process, then the organization might try to see if Google would cut them a check instead of an individual developer. However, that pull process often takes a few days.

  • by Joe_Dragon (2206452) on Thursday October 10, 2013 @12:33PM (#45093071)

    Why not have in house staff or pay an 3rd party to do stuff like this full time and not an system that can lead to Dev's coding them self's (or people they know) minivans?

    http://dilbert.com/strips/comic/1995-11-13/ [dilbert.com]

  • We don't need "software updates that improve the security of OpenSSL", we need a whole new protocol [cryptograp...eering.com].

    If you really want to be helpful, Google, provide support and coordinate a competition to create a new SSL protocol, à la AES [wikipedia.org] and SHA-3 [nist.gov]. Then we could make progress towards truly better security.

    • by Lennie (16154)

      I get the impression that the crypto people don't yet know what they want.

      • by imlepid (214300)

        Yes, I think that's true, but competitions will help focus minds. Most competitions will last a few years, including a period of laying out the requirements.

        I envision a new protocol to replace 3 remote security functions: SSL/TLS, IPSec, and SSH. I think SSH is the most secure of the three of those today but they could all three use a rethink.

        The ultimate goal, though, is not to do this as a separate project but as a unified community effort like the NIST competitions (see Standards [xkcd.com]).

        • by Lennie (16154)

          My guess is SSH is in good shape because it gets the most updates.

          That really in the long run is the best grantee for security. Keeping systems, software and crypto up to date.

  • by undeadbill (2490070) on Thursday October 10, 2013 @01:37PM (#45093873)

    From the OpenSSH FAQ- http://openssh.org/donations.html [openssh.org]
    "OpenSSH has no wealthy sponsors, nor a business model. In fact, no Commercial Unix or Linux vendor has ever given our project a cent. Naturally, the OpenSSH project requires funds to operate -- particularly so that our team members can meet in person once in a while (at OpenBSD hackathons) to design new ideas."

    From the OpenSSH Security page- If you wish to report a security issue in OpenSSH, please contact the private developers list openssh@openssh.com.

    A way of ensuring that bugs are proactively found in essential projects like this *isn't* to muddy the development process by establishing a separate security reporting structure, it is to fully fund the one that already exists and works very well. Google rakes in BILLIONS and can't annually fund one developer's worth of money to a project like OpenSSH as a tax deductible donation or written off as R&D? Really?

    • Re: (Score:3, Informative)

      by Anonymous Coward

      DNRTFA; comment about "a separate security reporting structure" anyways!

      Code fixes should be submitted directly to the maintainers of the individual projects. Once the patch is accepted and merged into the repository, submitters should e-mail the details to security-patches@google.com. "If we think that the submission has a demonstrable, positive impact on the security of the project, you will qualify for a reward ranging from $500 to $3,113.70," Zalewski said.

      PS:

      Q: I’m a core developer working on one of the in-scope projects. Do my own patches qualify?
      A: Most certainly!

      PPS:

      The people and organizations who have contributed money, equipment, or services to OpenSSH are not kept separate, but are combined with the list of people who have donated to all OpenBSD projects. That list can be found at the main OpenBSD donation page.

      If you'd care to search for "Google" on that page, you'd see it's already there in list of donors.

    • Re: (Score:2, Informative)

      by Anonymous Coward

      Google rakes in BILLIONS and can't annually fund one developer's worth of money to a project like OpenSSH as a tax deductible donation or written off as R&D? Really?

      Um, for one, Google's listed on the OpenBSD donors page: http://www.openbsd.org/donations.html#people. Second, Google employs Damien Miller, who is one of the lead OpenSSH developers. Google employs a bunch of other OpenBSD developers too.

  • That is basically what Moxie Marlinspike said. It's mostly greenhats. Green for money.

  • Good. I hope this attracts a few NSA workers.

  • Why bother - the NSA will just backdoor it anyway and there will be an even wider door left open.

  • BIND suffers from the fact that it's a database program without a real database inside. It dates from the days before UNIX/Linux had database programs. Almost the only other major UNIX/Linux program with that problem is Sendmail, which should have died decades ago. (QMail [cr.yp.to] should have replaced Sendmail, but the author does not promote it well. He does, however, offer a $500 reward for anyone finding a security bug. That's been offered since 1997, with no takers.)

    • BIND suffers from the delusions of those who wrote it.

      No matter how you feel about the programmers involved though, spend ten minutes configuring and using tinydns and then BIND and ask yourself why anyone uses BIND.

  • Could they fix the on-going problems with the Intel chipsets that now inhabit nearly every laptop sold? How about the Ralink WiFi chipsets that can't maintain a reliable connection?

    Oh and the touchpad drivers -- I should be able to automatically shut the thing down when I plug in my external mouse.

As the trials of life continue to take their toll, remember that there is always a future in Computer Maintenance. -- National Lampoon, "Deteriorata"

Working...