

Going beyond vulnerability rewards - WestCoastJustin
http://googleonlinesecurity.blogspot.ca/2013/10/going-beyond-vulnerability-rewards.html

======
casca
Interesting idea. Try get people who are considering selling exploits to get a
little money from Google instead. Michal Zalewski (lcamtuf) is highly
respected in the security world - The Tangled Web and Silence on the Wire are
excellent reads.

It would be very surprising if this didn't lead to a few new BIND and ISC
DHCPD bugs coming out in the near future.

~~~
WestCoastJustin
What's really cool about this, is that it looks like it applies to more than
just security fixes i.e. _Qualifying submissions - Any patch that has a
demonstrable, significant, and proactive impact on the security of one of the
in-scope projects will be considered for a reward. Examples include:_

    
    
      Improvements to privilege separation,
      Memory allocator hardening,
      Cleanups of integer arithmetics,
      Systematic fixes for various types of race conditions,
      Elimination of error-prone design patterns or library calls.
    

_Reactive patches that merely address a single, previously discovered
vulnerability will typically not be eligible for rewards. [1]_

[1] [https://www.google.com/about/appsecurity/patch-
rewards/](https://www.google.com/about/appsecurity/patch-rewards/)

~~~
IanCal
I suppose these are likely to be security fixes, but it's really nice to see a
change in attitude. You can have fixed a security bug before anyone knows it
exists by fixing up areas of code likely to contain bugs.

This also widens the group of people who can submit fixes, since you can fix
something that looks a bit dodgy without having to prove there is a particular
exploit.

------
3JPLW
Earlier discussion (of the same post):
[https://news.ycombinator.com/item?id=6523434](https://news.ycombinator.com/item?id=6523434)

Ah, the wonders of multiple country-code TLDs for the same blogspot page (also
submitted under Australia)

~~~
WestCoastJustin
I didn't see the earlier post.

------
swamp40
Google's going to pay for GCC toolchain improvements?

Good for them.

But a normal company would go broke doing these kinds of things.

~~~
IanCal
Maybe. They've got a lot riding on these things being secure, a bit of money
now is probably a lot better than lots of money later. A lot of companies
probably have the same risk/reward, but can't place it neatly in a budget.

This may also be part of reaching out to developers, and gaining some trust
back. They've probably taken quite a hit recently, and I think they've
somewhat relied on being the cool place to work.

------
swamp40
Aren't they worried that people will inject open-source vulnerabilities for
free, then have Google to pay them when they are "found" and "fixed"?

~~~
rictic
According to the page, fixing individual vulnerabilities won't typically be
rewarded. This seems like it's for more systemic fixes, like improving
privilege separation, security at the memory allocation level, etc.

------
kylequest
It would be great if they could add Django, RoR, and Node/Express.js to
improve their security proactively. They can definitely use that :-)

------
alanbyrne
I love that the Max reward is $3133.7 dollars. Made me chuckle.

