11/10/2013

Open source projects: Google offers big rewards for the development of significant security patches

The Internet giant announced that it is launching an incentive program to encourage, for key open source projects, the creation of significant security patches (beyond simple fixes for known bugs).

Google announced on its blog Google Online Security Blog that the patches that are of interest are, for example, adding privilege separation or enabling Address Space Layout Randomisation (ASLR). The following projects are concerned:

  • Core infrastructure network services: OpenSSH, BIND, ISC DHCP
  • Core infrastructure image parsers: libjpeg, libjpeg-turbo, libpng, giflib
  • Open-source foundations of Google Chrome: Chromium, Blink
  • Other high-impact libraries: OpenSSL, zlib
  • Security-critical, commonly used components of the Linux kernel (including KVM)

We intend to soon extend the program to:

  • Widely used web servers: Apache httpd, lighttpd, nginx
  • Popular SMTP services: Sendmail, Postfix, Exim
  • Toolchain security improvements for GCC, binutils, and llvm
  • Virtual private networking: OpenVPN

The Mountain View company invites developers interested in the rewards program to read the rules and to submit their security patches to the people in charge of each project. If the patch is accepted and integrated in the repository, the developer must then submit an application in writing to security-patches@google.com. Google will then judge the contribution and, if deemed significant, it may offer a reward ranging from 500 to over 3000 dollars.

Since Google is building infrastructure on these solutions, there is no doubt that it can benefit from improvement suggestions.

News