Google has revealed plans to extend the bug bounty rewards programme to selected open-source projects.
Targeted at improving the security of key third-party software, vital to the strength of the overall internet, the vulnerability rewards programme will initially range between $500 and $3,133.70 for core infrastructure network services, such as OpenSSH, BIND, ISC DHCP, in addition to core infrastructure image parsers including libjpeg, libjpeg-turbo, libpng and giflib.
The new bug bounty rewards scheme will also be added to open-source foundations of Google Chrome, including Chromium, Blink; other high-impact libraries such as OpenSSL, zlib; in addition to security-critical, commonly used elements of the Linux kernel.
Google Security Team’s Michal Zalewski said that in addition to offering valid reports, bug bounties invite a significant volume of spurious traffic – enough to completely overwhelm a small community of volunteers.
"On top of this, fixing a problem often requires more effort than finding it," Zalewski said.
"So we decided to try something new: provide financial incentives for down-to-earth, proactive improvements that go beyond merely fixing a known security bug."
In due course, Google is also planning to extend the scheme to other widely used web servers (Apache httpd, lighttpd, nginx), popular SMTP services (Sendmail, Postfix, Exim), toolchain security improvements for GCC, binutils, and llvm in addition to virtual private networking (OpenVPN ).
Recently, Microsoft awarded $100,000 bounty to UK security researcher James Forshaw, after detecting design level security bugs on IE11 preview, while an Indian electronics and communications engineer, Arul Kumar, received $12,500 from Facebook upon discovering a bug in its support dashboard.
