Google Offers Cash For Security Fixes To Linux and Other FOSS Projects

jrepin writes "Google is offering rewards as high as $3,133.70 for software updates that improve the security of OpenSSL, OpenSSH, BIND, and several other open-source packages that are critical to the stability of the Internet. The program announced Wednesday expands on Google's current bug-bounty program, which pays from $500 to $3,133.70 to people who privately report bugs found in the company's software and Web properties." Google isn't the only company that sees the value in rewarding those who find security problems: Microsoft just paid British hacker James Forshaw $100,000 for finding a serious security flaw in Windows 8.1.

Re:No.

[h4rr4r]

They could keep the theme and just add some zeros.

Re:No.

[andydread]

THey could just not bother at all. is there anyone else offering bug bounties on software they didn't even write to begin with? Anyone?

Re:No.

[Anonymous Coward]

They aren't asking people to fix THEIR software.

OpenSSL is free open source library, not maintained by Google.
OpenHHS is free open source library, not maintained by Google
BIND is free open source... oh you get the picture.

They are asking people to open libraries that everyone is using. OpenSSL is library used to proved encryption for HTTPS requests, emails sent over TLS, etc. OpenSSH is what almost all ssh servers and clients use to securely login and encrypt communication end to end.

The motivation for fixing these is the fact that your internet access to your bank account depends on it. Google is just sweetening the pot. Selling exploits in these libraries would be the same as selling the bank account of almost every American.

This is a publicity move based on the disclosure of PRISM. The back doors in OpenSSH and OpenSSL were baked in on purpose by NSA. This was disclosed in the Snowden documents. Google wants these to be patched, and wants people to see that they helped get them patched, but because of PRISM, Google wouldn't be trusted to submit code upstream. This is an attempt at spreading "we care about the community" not their typical "we're paying people peanuts for fixing out software."

Re:No.

[Nerdfest]

Keep in mind that this is open-source software. Most people fix these for free right now. This this throws a bit of incentive out there for people to look a little more actively. For their own closed products products like Chrome though, yeah, the amounts are way too low. Still, I think they should get a little credit for offering money for stuff that benefits us all (including them of course).

Re:No.

[Sarten-X]

What is your conscience worth to you?

Researchers have been responsibly reporting vulnerabilities for decades, usually out of an altruistic desire to make the world a little safer. The extra cash is just a token of appreciation, not a work-for-hire deal. Heck, a lot of researchers are already getting paid on salary to do the work that leads them to the bugs.

Re:No.

[Joining Yet Again]

This, a thousand times.

OP just sounded like, "Fuck you, I'm using my skills for extortion!"

Anyway, a criminal would sell the flaw to every market. So it makes absolute sense not to start an arms race with the mafia.

Why not pay the OpenSSH project, Google?

[undeadbill]

From the OpenSSH FAQ- http://openssh.org/donations.html [openssh.org]
"OpenSSH has no wealthy sponsors, nor a business model. In fact, no Commercial Unix or Linux vendor has ever given our project a cent. Naturally, the OpenSSH project requires funds to operate -- particularly so that our team members can meet in person once in a while (at OpenBSD hackathons) to design new ideas."

From the OpenSSH Security page- If you wish to report a security issue in OpenSSH, please contact the private developers list openssh@openssh.com.

A way of ensuring that bugs are proactively found in essential projects like this *isn't* to muddy the development process by establishing a separate security reporting structure, it is to fully fund the one that already exists and works very well. Google rakes in BILLIONS and can't annually fund one developer's worth of money to a project like OpenSSH as a tax deductible donation or written off as R&D? Really?