Re: Going beyond vulnerability rewards

[Steve Pirk <pirkster () gmail com>]

This approach is similar to how they are developing Chromium/Chrome OS. The
code is out there fr manufacturers to test their hardware against, and when
people run into issues, the problem gets added to the database and everyone
contributes what they can to a solution.

An "add-on" project they are working on that many including me are
following is the integrated Tor client/code. It is getting close to doable,
but they are asking for external help on parts of it, mainly due to
resource limitations.

-- steve


On Fri, Oct 11, 2013 at 11:02 AM, Jeffrey Walton <noloader () gmail com> wrote:

> http://googleonlinesecurity.blogspot.com/2013/10/going-beyond-vulnerability-rewards.html?m=1
>
> We all benefit from the amazing volunteer work done by the open source
> community. That’s why we keep asking ourselves how to take the model
> pioneered with our Vulnerability Reward Program - and employ it to
> improve the security of key third-party software critical to the
> health of the entire Internet.
>
> We thought about simply kicking off an OSS bug-hunting program, but
> this approach can easily backfire. In addition to valid reports, bug
> bounties invite a significant volume of spurious traffic - enough to
> completely overwhelm a small community of volunteers. On top of this,
> fixing a problem often requires more effort than finding it.
>
> So we decided to try something new: provide financial incentives for
> down-to-earth, proactive improvements that go beyond merely fixing a
> known security bug. Whether you want to switch to a more secure
> allocator, to add privilege separation, to clean up a bunch of sketchy
> calls to strcat(), or even just to enable ASLR - we want to help!
>
> We intend to roll out the program gradually, based on the quality of
> the received submissions and the feedback from the developer
> community. For the initial run, we decided to limit the scope to the
> following projects:
>
> Core infrastructure network services: OpenSSH, BIND, ISC DHCP
> Core infrastructure image parsers: libjpeg, libjpeg-turbo, libpng, giflib
> Open-source foundations of Google Chrome: Chromium, Blink
> Other high-impact libraries: OpenSSL, zlib
> Security-critical, commonly used components of the Linux kernel (including
> KVM)
>
> We intend to soon extend the program to:
>
> Widely used web servers: Apache httpd, lighttpd, nginx
> Popular SMTP services: Sendmail, Postfix, Exim
> Toolchain security improvements for GCC, binutils, and llvm
> Virtual private networking: OpenVPN
>
> How to participate?
>
> Please submit your patches directly to the maintainers of the
> individual projects. Once your patch is accepted and merged into the
> repository, please send all the relevant details to
> security-patches () google com. If we think that the submission has a
> demonstrable, positive impact on the security of the project, you will
> qualify for a reward ranging from $500 to $3,133.7.
>
> Before participating, please read the official rules posted on this
> page; the document provides additional information about eligibility,
> rewards, and other important stuff.
>
> Happy patching!
> _______________________________________________
> Fun and Misc security discussion for OT posts.
> https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
> Note: funsec is a public and open mailing list.
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.