Google starts paying rewards for fixing vulnerabilities in open source projects
Google has become one of the pioneers in the field of a kind of outsourcing to detect security flaws in its web products and Chromium, paying hackers rewards both on a regular basis and at special contests, such as Pwn2Own and Pwnium. Now, Google has decided to go further, expanding its rewards program to projects that are not related to an Internet corporation, but must be open. So far the company has compiled a limited list of approved projects for the period of the trial period, and in the future, if successful, plans to expand this list. However, this is not entirely about vulnerabilities, but about fixing them. Interested?
So the current list is:
Already compiled a list of projects that will be added a little later:
one). Detect a vulnerability in one of the projects (unexpected, right?)
2). Write a patch to fix this vulnerability.
3). Send it to the project
four). Wait for verification of project maintainers (according to internal project rules).
five). After your patch is included in the main project branch, write a letter to security-patches@google.com with links, descriptions and diffs of your work.
6). Wait for the verification of the guys from the Google Security Team who will check your work.
7). In case of successful verification, you can receive a reward from $ 500 to $ 3,133.7 USD. Taxes and other subtleties of the laws of your country are on your conscience. However, if your patch is simply an incredible piece of programmer's art, then the rewards can be higher and limited only by the generosity of Google. In addition, the reward can be divided if the patch implementation required significant work from the main project development team. In case the reward will not be claimed, then Google will send the amount to charity at its discretion.
If the vulnerability was already known, and I fixed it, can I get a reward?
In most cases, no. However, if its correction required non-trivial work, then such patches can be considered.
')
Why do you pay for the correction of vulnerabilities, and not their detection?
The fact is that for most open projects, the main problem is not the detection of vulnerabilities, but their correction, because project teams often lack either staff or time. Therefore, fixing vulnerabilities, in our opinion, is much more important and valuable.
Why should my patch be included in the main project branch to begin with?
one). We want the patch code to meet all internal project requirements.
2). Patch, which may never be in the main branch, really no one needs.
If I am one of the main developers of the project, can I participate in the rewards program?
In most cases, yes.
And who will decide whether my patch is suitable for rewards or not?
Google Security Team.
I want to preserve the anonymity of my work, what can I do?
If you have such a desire, if you verify your patch, our team will contact you about the subtleties of paying for your work, and your name will not appear in the Google Hall of Fame.
Sources :
Google blog ad .
More detailed conditions (eng.).
So the current list is:
- Infrastructure network projects: OpenSSH , BIND , ISC DHCP
- Image parsers: libjpeg , libjpeg-turbo , libpng , giflib
- Open projects under the hood of Google Chrome: Chromium and Blink
- Important Libraries: OpenSSL , zlib
- Security-critical components of the Linux kernel , including KVM
Already compiled a list of projects that will be added a little later:
- Web servers: Apache , nginx , lighttpd
- Popular SMTP servers: Sendmail , Postfix , Exim
- GCC , binutils and llvm toolchain security enhancements
- Openvpn
WHAT TO DO, SPEAK FAST! 1
one). Detect a vulnerability in one of the projects (unexpected, right?)
2). Write a patch to fix this vulnerability.
3). Send it to the project
four). Wait for verification of project maintainers (according to internal project rules).
five). After your patch is included in the main project branch, write a letter to security-patches@google.com with links, descriptions and diffs of your work.
6). Wait for the verification of the guys from the Google Security Team who will check your work.
7). In case of successful verification, you can receive a reward from $ 500 to $ 3,133.7 USD. Taxes and other subtleties of the laws of your country are on your conscience. However, if your patch is simply an incredible piece of programmer's art, then the rewards can be higher and limited only by the generosity of Google. In addition, the reward can be divided if the patch implementation required significant work from the main project development team. In case the reward will not be claimed, then Google will send the amount to charity at its discretion.
FAQ
If the vulnerability was already known, and I fixed it, can I get a reward?
In most cases, no. However, if its correction required non-trivial work, then such patches can be considered.
')
Why do you pay for the correction of vulnerabilities, and not their detection?
The fact is that for most open projects, the main problem is not the detection of vulnerabilities, but their correction, because project teams often lack either staff or time. Therefore, fixing vulnerabilities, in our opinion, is much more important and valuable.
Why should my patch be included in the main project branch to begin with?
one). We want the patch code to meet all internal project requirements.
2). Patch, which may never be in the main branch, really no one needs.
If I am one of the main developers of the project, can I participate in the rewards program?
In most cases, yes.
And who will decide whether my patch is suitable for rewards or not?
Google Security Team.
I want to preserve the anonymity of my work, what can I do?
If you have such a desire, if you verify your patch, our team will contact you about the subtleties of paying for your work, and your name will not appear in the Google Hall of Fame.
Sources :
Google blog ad .
More detailed conditions (eng.).
Source: https://habr.com/ru/post/197056/
All Articles