Google to Pay for Free Software Patches
Google doesn't own open-source applications such as OpenSSH, Linux and Chromium, but it will gladly pay you money to make them more secure.
If you find vulnerabilities in certain high-profile open-source programs and find ways to patch them, Google could pay you more than $3,000.
Companies often pay bug hunters to find vulnerabilities in their software, and add a little extra incentive if the hackers can also develop patches.
However, Google wants to cut right to the chase and pay only for patches for open-source vulnerabilities.
"Bug bounties invite a significant volume of spurious traffic" from people who only think they've discovered a flaw, wrote Michal Zalewski of the Google Security Team in a blog post yesterday (Oct. 9). "Fixing a problem often requires more effort than finding it."
Zalewski put out a call for "down-to-earth, proactive improvements that go beyond merely fixing a known security bug."
The language gets a bit technical after this, but Zalewski's general proposal boils down to developing patches that make an overall program more compartmentalized and secure, rather than just finding one specific flaw and devoting vast amounts of time and money to fixing it.
Open-source software is developed and maintained by unpaid volunteers, and the software is freely available to anyone. Google's cash offerings give a bit more incentive to programmers working on improvements to some of the most widely used bit of open-source code.
At present, Google wants fixes for the following pieces of software: OpenSSH, BIND, ISC DHCP, libjpeg, libjpeg-turbo, libpng, giflib, Chromium, Blink, OpenSSL, zlib and parts of the Linux kernel.
Those may sound like alphabet soup to most readers, but the programs include network protocols, cross-platform image parsers, Google Chrome browser components, a security standard, a compression library and the core of the Linux operating system.
In the near future, Google will open up the bounty program to work on Web servers (Apache, lighttpd, nginx), outgoing mail services (Sendmail, Postfix, Exim), virtual private networks (OpenVPN) and miscellaneous programming tools (GCC, binutils, llvm).
If you successfully patch one of these programs, shoot an email to email@example.com, and you could earn anywhere between $500 and $3,133.70. (The second number is not arbitrary; that's just Internet jargon for "elite" or "excellent.")
Offering rewards for open-source vulnerability patches is both self-serving and magnanimous on Google's part. The company uses a great deal of open-source software in its Chrome browser and Android mobile operating system, not to mention on the tens of thousands of Linux servers that power Google Search and Gmail.
As with all open-source software, fixes to any application or tool will benefit any user or company that uses it. About a third of all Web servers run on Linux, and open-source software is used on many of the rest.
A more secure Internet is never a bad thing, and if you have an interest in security, you could make quite a bit of scratch while making a useful program better for everyone. Whatever it is that you like, chances are that $3,133.70 can buy an awful lot of it.