Google wants to pay Linux and open-source users to be 31337
A company paying developers and users to discover and report bugs is not new. In fact, these bounty programs are rather widespread. Heck, Microsoft even got into the game back in June of this year. However, Google is expanding on that concept and announces that it will pay users for simply improving open-source software; such as components of the Linux kernel.
"We thought about simply kicking off an OSS bug-hunting program, but this approach can easily backfire. In addition to valid reports, bug bounties invite a significant volume of spurious traffic -- enough to completely overwhelm a small community of volunteers. On top of this, fixing a problem often requires more effort than finding it", says Michal Zalewski of the Google Security Team.
He further explains, "we decided to try something new: provide financial incentives for down-to-earth, proactive improvements that go beyond merely fixing a known security bug. Whether you want to switch to a more secure allocator, to add privilege separation, to clean up a bunch of sketchy calls to strcat(), or even just to enable ASLR -- we want to help".
Google says that it is limiting the scope to the following projects:
- Core infrastructure network services: OpenSSH, BIND, ISC DHCP
- Core infrastructure image parsers: libjpeg, libjpeg-turbo, libpng, giflib
- Open-source foundations of Google Chrome: Chromium, Blink
- Other high-impact libraries: OpenSSL, zlib
- Security-critical, commonly used components of the Linux kernel (including KVM)
However, the search-giant will later expand it to:
- Widely used web servers: Apache httpd, lighttpd, nginx
- Popular SMTP services: Sendmail, Postfix, Exim
- Toolchain security improvements for GCC, binutils, and llvm
- Virtual private networking: OpenVPN
Regarding the payout, Google says, "rewards for qualifying submissions will range from $500 to $3,133.7. The final amount is always chosen at the discretion of the reward panel and is based on our judgment of the complexity and impact of the patch. We may choose higher rewards for unusually clever or complex submissions; we may also split the reward between the submitter and the maintainers of the project in cases where the patch required a substantial additional effort on behalf of the development team".
For those of you that aren't aware, the number 31337 represents leetspeak for "eleet", meaning the English word "elite". Google's offering of a $3,133.7 reward is obviously a tongue-in-cheek reference to leetspeak.
Google will also give the option to donate the reward to charity. If the user chooses to donate, the search-giant will match it. This is a very classy move for which the search giant should be applauded.
If you are interested in earning some money, please read the rules and details here.