Google Online Security Blog: News from the land of patch rewards

Security Blog

The latest news and insights from Google on security and safety on the Internet

News from the land of patch rewards

October 9, 2014

launchedPatch Reward
We started with a modest scope and reward amounts, but have gradually expanded the program over the past few months. We’ve seen some great work so far—and to help guide future submissions, we wanted to share some of our favorites:

Incorporation of a variety of web security checks directly into Django to help users develop safer web applications.

A support for seccomp-bpf sandboxing in BIND to minimize the impact of remote code execution bugs.

Addition of Curve25519 and several other primitives in OpenSSH to strengthen its cryptographic foundations and improve performance.

A set of patches to reduce the likelihood of ASLR info leaks in Linux to make certain types of memory corruption bugs more difficult to exploit.

And, of course, the recent attack-surface-reducing function prefix patch in bash that helped mitigate a flurry of “Shellshock”-related bugs.

We hope that this list inspires even more contributions in the year to come. Of course, before participating, be sure to read the rules page. When done, simply send your nominations to security-patches@google.com. And keep up the great work!
Posted by Michal Zalewski, Google Security Team