Pushed both by corporate desires for better security and less wholesome motives, the market for finding security holes is getting bigger.
In an attempt to improve security for software it and many others use on the Internet, Google said Wednesday it's offering to pay programmers $500 to $3,133.70 for changes that make widely used open-source software less vulnerable to attack.
With the Chrome reward program and the vulnerability reward program, Google already offers two mechanisms to pay people for finding specific weaknesses in its browser and its online services. The new patch rewards program goes a step further by trying to encourage people to harden software at a deeper level.
"Quite a few vulnerabilities trace back to preventable coding mistakes, or are made easier to exploit due to the absence of simple mitigation techniques. We are hoping to address this to some extent," Google said in an FAQ about the program.
Bug bounties have become more popular at major computing firms seeking to keep their services and software secure -- and to compete against other organizations that would pay. Those organizations include not just criminals intent on breaking into systems, but also the National Security Agency. For 2013, the NSA allocated allocated $25.1 million for "additional covert purchases of software vulnerabilities," the Washington Post reported, based on information leaked from NSA contractor Edward Snowden.
In August, Google quintupled some bug bounty payments, which so far have totaled more than $2 million. And this week, Microsoft just paid one security researcher James Forshaw $100,000 for finding a serious security problem.
For its new patch rewards program, Google decided against expanding its existing bug-hunting rewards to others' open-source software projects, said Michal Zalewski, a Google security team member who will help to review patch rewards submissions, in a blog post Wednesday:
This approach can easily backfire. In addition to valid reports, bug bounties invite a significant volume of spurious traffic -- enough to completely overwhelm a small community of volunteers. On top of this, fixing a problem often requires more effort than finding it.
Thus, the deeper effort. Google will pay programmers who submit their improvements, but only after the maintainers of the software projects accept them. "It is up to the maintainers to decide whether to accept a proposed patch. Given the nature of the program, we do not wish to second-guess the decisions of those managing the project," Google said.
Here are the initial projects for which Google will pay for improvements:
- Core infrastructure network services: OpenSSH, BIND, ISC DHCP
- Core infrastructure image parsers: libjpeg, libjpeg-turbo, libpng, giflib
- Open-source foundations of Google Chrome: Chromium, Blink
- Other high-impact libraries: OpenSSL, zlib
- Security-critical, commonly used components of the Linux kernel (including KVM)
Later, Google said, it plans to extend farther to include this software, too:
- Widely used web servers: Apache httpd, lighttpd, nginx
- Popular SMTP services: Sendmail, Postfix, Exim
- Toolchain security improvements for GCC, binutils, and llvm
- Virtual private networking: OpenVPN