Google Online Security Blog: Going beyond vulnerability rewards

Going beyond vulnerability rewards

9 ตุลาคม 2556

Posted by Michal Zalewski, Google Security TeamWe all benefit from the amazing volunteer work done by the open source community. That’s why we keep asking ourselves how to take the model pioneered with our Vulnerability Reward Program - and employ it to improve the security of key third-party software critical to the health of the entire Internet.We thought about simply kicking off an OSS bug-hunting program, but this approach can easily backfire. In addition to valid reports, bug bounties invite a significant volume of spurious traffic - enough to completely overwhelm a small community of volunteers. On top of this, fixing a problem often requires more effort than finding it.So we decided to try something new: provide financial incentives for down-to-earth, proactive improvements that go beyond merely fixing a known security bug. Whether you want to switch to a more secure allocator, to add privilege separation, to clean up a bunch of sketchy calls to strcat(), or even just to enable ASLR - we want to help!We intend to roll out the program gradually, based on the quality of the received submissions and the feedback from the developer community. For the initial run, we decided to limit the scope to the following projects:

Core infrastructure network services: OpenSSH, BIND, ISC DHCP

Core infrastructure image parsers: libjpeg, libjpeg-turbo, libpng, giflib

Open-source foundations of Google Chrome: Chromium, Blink

Other high-impact libraries: OpenSSL, zlib

Security-critical, commonly used components of the Linux kernel (including KVM)

Widely used web servers: Apache httpd, lighttpd, nginx

Popular SMTP services: Sendmail, Postfix, Exim

Toolchain security improvements for GCC, binutils, and llvm

Virtual private networking: OpenVPN

How to participate?Before participating, please read the official rules posted on this page; the document provides additional information about eligibility, rewards, and other important stuff.Please submit your patches directly to the maintainers of the individual projects. Once your patch is accepted and merged into the repository, please follow the submission process outlined here. If we think that the submission has a demonstrable, positive impact on the security of the project, you will qualify for a reward ranging from $500 to $3,133.7. Happy patching!

10 ความคิดเห็น :

Dagian Insider กล่าวว่า...: This is *awesome*.; 9 ตุลาคม 2556 เวลา 20:51
Dagian Insider กล่าวว่า...: This is *awesome*.; 9 ตุลาคม 2556 เวลา 20:51
Brad กล่าวว่า...: Could Google consider extending the program to widely used name server implementations such as nsd and Unbound and IMAP/POP3 implementation Dovecot?; 9 ตุลาคม 2556 เวลา 22:27
Tyler Neely กล่าวว่า...: I can make many times the maximum reward provided here by weaponizing what I find in the popular projects mentioned, and providing disinformation and bug obfuscation to appear to fix it and take your money as well. Given the fact that a massive portion of bug finders feed directly into the arsenals of nation states and other malicious actors, it would REALLY be doing the world a favor if you paid enough to cause someone who knows about the bugs in this software to come forward about it. Because right now the electronic arms buyers are outbidding you by a dramatic margin.; 9 ตุลาคม 2556 เวลา 22:42
Andrey Karpov กล่าวว่า...: What is a vulnerability? We regularly find new bugs. What errors are the vulnerabilities? :)

Errors detected in Open Source projects by the PVS-Studio developers through static analysis: http://www.viva64.com/en/examples/; 10 ตุลาคม 2556 เวลา 09:36
zeroXten กล่าวว่า...: Awesome. I had a similar idea the other day, but that would have involved sponsor companies putting money into a pool. Good job Google.; 10 ตุลาคม 2556 เวลา 12:13
Unknown กล่าวว่า...: Woot! Google taking initiative once again! These sort of fixes are long past due.; 11 ตุลาคม 2556 เวลา 10:22
Unknown กล่าวว่า...: thanks for the wonderful blog .
Good job Google.
Adobe Acrobat X Software Download; 5 พฤศจิกายน 2556 เวลา 10:31
Unknown กล่าวว่า...: This is seriously cool and decidedly non-evil! Maybe at later stage you can consider to contribute to bug bounties (e.g. at https://www.bountysource.com/) as well?; 22 พฤศจิกายน 2556 เวลา 04:09
adrian is กล่าวว่า...: hi how about i find a vulnerability . but i dont have a patch(explanation only). is this still valid?; 28 กันยายน 2557 เวลา 22:37

แสดงความคิดเห็น

Security Blog

Going beyond vulnerability rewards

10 ความคิดเห็น :

ป้ายกำกับ

Archive

Feed