About a month ago, we kicked off our Patch Reward Program. The goal is very simple: to recognize and reward proactive security improvements to third-party open-source projects that are vital to the health of the entire Internet.
We started with a fairly conservative scope, but said we would expand the program soon. Today, we are adding the following to the list of projects that are eligible for rewards:
- All the open-source components of Android: Android Open Source Project
- Widely used web servers: Apache httpd, lighttpd, nginx
- Popular mail delivery services: Sendmail, Postfix, Exim, Dovecot
- Virtual private networking: OpenVPN
- Network time: University of Delaware NTPD
- Additional core libraries: Mozilla NSS, libxml2
- Toolchain security improvements for GCC, binutils, and llvm
For more information about eligibility, reward amounts, and the submission process, please visit this page. Happy patching!
Still no FreeBSD?
ReplyDeleteGreat to here that!
ReplyDeleteDoes discovering and fixing (sending patch to maintainer) security flaw in mentioned software will also be eligible for reward? After all it's also security improvement.
Regards,
mzet
The vulnerability program to improve security on third party software is a great idea. The open source community wants to improve software in the security area. The financial incentive that your team would provide has great potential to advance the program. The patched that are submitted could be a major benefit to the programs listed. Is Google model going forward to open source?
ReplyDeleteThe vulnerability program to improve security on third party software is a great idea. The open source community wants to improve software in the security area. The financial incentive that your team would provide has great potential to advance the program. The patched that are submitted could be a major benefit to the programs listed. Is Google model going forward to open source?
ReplyDelete