Google is to roll out its Vulnerability Reward Program to include a number of its critical third-party software providers.
According to a blog post by Michal Zalewski of Google's security team, the aim of the programme is to "improve the security of key third-party software critical to the health of the entire internet".
The programme will initially include 12 open source projects divided into five areas: OpenSSH, BIND and ISC DHCP are included under core infrastructure network services; libjpeg, libjpeg-turbo, libpng and giflib are listed as core infrastructure image parsers; Chromium and Blink come under the open source foundations of Google Chrome; Open SSL and zlib are listed simply as other high impact libraries; and finally, security-critical, commonly used components of the Linux kernel form their own group.
The programme will also be rolled out at a later date to Apache httpd, Sendmail, Postfix, binutils and OpenVPN, amongst others. No exact timescale has been given for the inclusion of these projects, although Google claims it will be "soon".
Explaining how the programme came to be, Zalewski said: "We thought about simply kicking off an OSS bug-hunting program, but this approach can easily backfire. In addition to valid reports, bug bounties invite a significant volume of spurious traffic - enough to completely overwhelm a small community of volunteers. On top of this, fixing a problem often requires more effort than finding it.
"So we decided to try something new: provide financial incentives for down-to-earth, proactive improvements that go beyond merely fixing a known security bug."
Anyone wishing to participate should submit bug reports directly to the maintainers of the individual projects included in the scheme. Once the patch is accepted and merged into the repository, bug hunters should send all the relevant details to security-patches@google.com.
Those whose submissions are judged to have a demonstrable, positive impact on the security of the project in question will qualify for a reward ranging from $500 (313.18) up to a maximum $3,133.7 (1962.74).
-
Bigger salaries, more burnout: Is the CISO role in crisis?In-depth CISOs are more stressed than ever before – but why is this and what can be done?
-
Cheap cyber crime kits can be bought on the dark web for less than $25News Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
