Are you a computer security researcher hunting day and night for security software bugs? Do you feel ‘happy’ when you submit security patches to open-source packages?
Now you will be happier than ever. Google is paying security researchers for submitting security patches to that improve the security of OpenSSL, OpenSSH, BIND and several other open source packages. Google announced this program on Wednesday with the intention of improving core infrastructure network services such as OpenSSH, BIND, and ISC DHCP.
This program announced by Google pays rewards between $500 and $3,133.70. What about security fixes in Apache Web server, Sendmail e-mail service, and the OpenVPN software? Google is also paying for fixes to these open source programs. This is not for sure yet, but Google intends to soon extend the program to Widely used web servers (Apache httpd, lighttpd, nginx), Popular SMTP services (Sendmail, Postfix, Exim), Virtual private networking (OpenVPN) and GCC, binutils, and llvm.
“We all benefit from the amazing volunteer work done by the open source community. That’s why we keep asking ourselves how to take the model pioneered with our Vulnerability Reward Program – and employ it to improve the security of key third-party software critical to the health of the entire Internet.”, Michal Zalewski (member of Google Security Team) writes in googleonlinesecurity blog.
Fixes in following open source projects are qualified for a reward:
– Core infrastructure network services: OpenSSH, BIND, ISC DHCP
– Core infrastructure image parsers: libjpeg, libjpeg-turbo, libpng, giflib
– Open-source foundations of Google Chrome: Chromium, Blink
– Other high-impact libraries: OpenSSL, zlib
– Security-critical, commonly used components of the Linux kernel (including KVM)
How to participate?
The first thing you have to do is to submit your security patches to the maintainers of the individual projects and once your patch is accepted and merged into the repository, you have to send relevant details to security-patches@google.com. It is up to Google if your security patch qualifies for a reward or not. If it does you will get some cash. It is good to get paid and do things you like, isn’t it?
