October 11, 2013 at 1:14 pm #180336
From the Google Online Security Blog:
Going beyond vulnerability rewards
We all benefit from the amazing volunteer work done by the open source community. That’s why we keep asking ourselves how to take the model pioneered with our Vulnerability Reward Program – and employ it to improve the security of key third-party software critical to the health of the entire Internet.
We thought about simply kicking off an OSS bug-hunting program, but this approach can easily backfire. In addition to valid reports, bug bounties invite a significant volume of spurious traffic – enough to completely overwhelm a small community of volunteers. On top of this, fixing a problem often requires more effort than finding it.
So we decided to try something new: provide financial incentives for down-to-earth, proactive improvements that go beyond merely fixing a known security bug. Whether you want to switch to a more secure allocator, to add privilege separation, to clean up a bunch of sketchy calls to strcat(), or even just to enable ASLR – we want to help!
We intend to roll out the program gradually, based on the quality of the received submissions and the feedback from the developer community. For the initial run, we decided to limit the scope to the following projects:
October 11, 2013 at 1:16 pm #180342
Additional information and commentary from Veracode Blog:
Google’s Cash Helps To Clean Up Open Source Commons
Open source has worked its way into a stunning array of commercial and free technology products. Now Google is using its bank account to help improve the security of the underlying code.
We’ve talked on this blog before about the conundrum posed by the widespread use of third party and open source code. One the one hand: third party code can greatly accelerate application development by sparing software development groups the task of “reinventing the wheel” in order to implement standard application components. On the other hand, open source and third party code can often contain serious vulnerabilities that easily slip below the radar during quality assurance testing and application audits.
The problem is serious enough to prompt OWASP to make room on its Top 10 for third party software components. Veracode’s own Chris Wysopal recently argued that the prospect of NSA “back doors” in common technology were a lot less of a privacy concern than run of the mill vulnerabilities in shared code.
October 11, 2013 at 10:42 pm #180340
David B. GrinbergParticipant
Nice article, Henry.
Unfortunately, we are all vulnerable online. Everyone needs to be more mindful and vigilant of the inherent threats in cyberspace — not the least of which are gov officials responsible for cybersecurity. GovLoop’s new guide on cybersecurity is a much needed and welcome resource.
October 14, 2013 at 5:06 am #180338
Some additional information from the State of Security Blog:
In an effort to bolster the security and overall functionality of third-party open source software, Google has announced the implementation of a bounty program to reward developers for making improvements to the offerings.
Modled after the company’s Vulnerability Reward Program, the patch bounty incentives seek to go beyond rewarding vulnerability disclosures by offering cash for the creation of solutions for bugs in “key third-party software critical to the health of the entire Internet.”
“We all benefit from the amazing volunteer work done by the open source community. That’s why we keep asking ourselves how to take the model pioneered with our Vulnerability Reward Program — and employ it to improve the security of key third-party software critical to the health of the entire Internet,” Google’s Michal Zalewski said in a blog post on the program.
You must be logged in to reply to this topic.