[ISN] Google offers “leet” cash prizes for updates to Linux and other OS software

http://arstechnica.com/security/2013/10/google-offers-leet-cash-prizes-for-updates-to-linux-and-other-os-software/ By Dan Goodin Ars Technica Oct 9 2013 Google is offering rewards as high as $3,133.70 for software updates that improve the security of OpenSSL, OpenSSH, BIND, and several other open-source packages that are critical to the stability of the Internet. The program announced Wednesday expands on Google’s current bug-bounty program, which pays from $500 to $3,133.70 to people who privately report bugs found in the company’s software and Web properties. Security researchers inside the company considered modifying the program to reward bug reports in open-source software, but eventually decided against that approach. The reason: bug bounty programs often invite a flood of reports of varying quality that can overwhelm the finite resources of open-source developers. What’s more, it’s frequently much harder to patch a vulnerability than merely to find it. “So we decided to try something new: provide financial incentives for down-to-earth, proactive improvements that go beyond merely fixing a known security bug,” Michael Zalewski, a member of the Google security team, wrote in a blog post. “Whether you want to switch to a more secure allocator, to add privilege separation, to clean up a bunch of sketchy calls to strcat(), or even just enable ASLR—we want to help.” Beginning immediately, the program will offer rewards between $500 and $3,133.70 for security improvements to core infrastructure network services such as OpenSSH, BIND, and ISC DHCP; image parsers such as libjpeg and libjpeg-turbo; the open-source foundations of Google Chrome; the high impact code libraries OpenSSL and zlib; and security-critical, commonly used components of the Linux operating system kernel. Eventually, Google will pay for fixes to other open-source programs, including the Apache Web server, Sendmail e-mail service, and the OpenVPN virtual private networking app. […]