

Going Beyond Vulnerability Rewards - tptacek
http://googleonlinesecurity.blogspot.com/2013/10/going-beyond-vulnerability-rewards.html

======
tptacek
The nut: if you can come up with ways to make any of the following open source
projects more secure --- better allocator, constant time crypto routine, safer
parser, privilege separation scheme, whatever --- and get a patch accepted
that accomplishes that, Google will pay you in fashion similar to that of a
bug bounty.

* OpenSSH

* BIND

* ISC DHCP

* libjpeg

* libjpeg-turbo

* libpng

* giflib

* Chromium

* Blink

* OpenSSL

* zlib

* "Security-critical, commonly used components of the Linux kernel (including KVM)"

This is so smart. Every part of it, but especially the targets they picked.

~~~
krenoten
I can make many times the maximum reward provided here by weaponizing what I
find in the popular projects mentioned. Given the fact that a massive portion
of CAPABLE bug finders and exploit engineers feed directly into the arsenals
of nation states and other malicious actors, it would REALLY be doing the
world a favor if google paid enough to cause someone who knows about the bugs
in this software to come forward about it. Because right now the electronic
arms buyers are outbidding google by a dramatic margin.

~~~
tptacek
I don't think you understand what this program is about. This isn't a bug
bounty. Instead, they're doing for open source what Microsoft did with the
Blue Hat Prize: they're paying people for _defensive_ technology, of the kind
that many developers on HN could design without knowing much of anything about
modern exploitation technology.

 _NOBODY_ is bidding for that kind of work. Google is the only company paying
for it.

It would still be plenty great if Google provided its bug bounty for libpng or
libjpeg. Oh, wait, they do: their own code depends on these libraries, which
is why they picked them.

~~~
krenoten
I agree that it is nice of google to offer to reward defensive reinforcement
of some of the open source software they rely on. But I contend that this
effort is unlikely to produce meaningful results that stand any chance at all
of countering the R&D happening on the red teams.

~~~
tptacek
That implies that it's easier to exploit bugs than to squish them. No.

~~~
krenoten
On an equally motivated and skilled playing field, you would be correct. The
bugs that will be exploited by meaningful adversaries will not be stopped by
this effort. Latent exploitable bugs in most of the targeted mature software
require significant, well-targeted compute to uncover. Google's incentives are
insufficient to direct adequate resources toward the goal of making the
internet a safe place for civilians.

------
packetslave
And it's going to get even better:

"We intend to soon extend the program to:

* Widely used web servers: Apache httpd, lighttpd, nginx

* Popular SMTP services: Sendmail, Postfix, Exim

* Toolchain security improvements for GCC, binutils, and llvm

* Virtual private networking: OpenVPN"

------
joliss
I like the intention -- making software more secure is really worthwhile.

The reward scheme is dubious though: I love working on open source because
it's intrinsically rewarding. But if you try to pay me a few bucks, chances
are I'll lose interest because my day job pays better.

Extrinsic motivation killing intrinsic motivation is a known phenomenon in
psychology:
[http://en.wikipedia.org/wiki/Motivation_crowding_theory](http://en.wikipedia.org/wiki/Motivation_crowding_theory)
It means that splashing money around to get people to do stuff can have the
opposite effect. Also see the book Drive by Daniel Pink:
[http://www.amazon.com/Drive-Surprising-Truth-About-
Motivates...](http://www.amazon.com/Drive-Surprising-Truth-About-
Motivates/dp/1594484805)

------
rurounijones
So they are basically indirectly funding open-source work on internet critical
software, seems like win-win here.

------
neur0mancer
Another interesting details is that if you are a software maintainer of these
projects, you are free to submit your own patches.

This means that Google is virtually funding these projects..

------
cschmidt
I'm curious, why $3,133.7?

~~~
dmpatierno
leetspeak for "elite"

~~~
vezzy-fnord
Also the port that the original Back Orifice ran on.

~~~
Andrenid
... which is because it is leet speak for Elite in the first place.

------
grn
Note that their maximum reward is 3133.7 USD. You can also the program rules
at [https://www.google.com/about/appsecurity/patch-
rewards/](https://www.google.com/about/appsecurity/patch-rewards/).

------
logn
I think we're seeing a taste of the future today. In a world where automation
has taken over and there's not much work left for humans to do, we can
basically get by on ad-hoc work to keep our robots running.

