The nut: if you can come up with ways to make any of the following open source projects more secure --- better allocator, constant time crypto routine, safer parser, privilege separation scheme, whatever --- and get a patch accepted that accomplishes that, Google will pay you in fashion similar to that of a bug bounty.
* OpenSSH
* BIND
* ISC DHCP
* libjpeg
* libjpeg-turbo
* libpng
* giflib
* Chromium
* Blink
* OpenSSL
* zlib
* "Security-critical, commonly used components of the Linux kernel (including KVM)"
This is so smart. Every part of it, but especially the targets they picked.
I can make many times the maximum reward provided here by weaponizing what I find in the popular projects mentioned. Given the fact that a massive portion of CAPABLE bug finders and exploit engineers feed directly into the arsenals of nation states and other malicious actors, it would REALLY be doing the world a favor if google paid enough to cause someone who knows about the bugs in this software to come forward about it. Because right now the electronic arms buyers are outbidding google by a dramatic margin.
It's hard to win bidding wars with nation states. It's even harder to make such victories matter: after all, they can always switch to doing security research and exploit development in-house.
Instead of trying that, we're catering to two groups of researchers:
1) Those who are not comfortable with the idea of selling weaponized exploits to the highest bidder for unspecified offensive purposes, and
2) Those who like to find bugs, but don't want to spend days or weeks to develop reliable, weaponized exploits for resale.
As it turns out, there are thousands of extremely prolific researchers who fall into these buckets; the number of "black market" players is much lower than that.
The reason why all of this matters is purely probabilistic: all this scrutiny limits the number of remaining vulnerabilities that can be leveraged for nefarious purposes, and limits the lifespan of any already-known 0-day bugs.
Now, having said all that, your comment is more applicable to vulnerability reward programs - which this isn't :-)
I don't think you understand what this program is about. This isn't a bug bounty. Instead, they're doing for open source what Microsoft did with the Blue Hat Prize: they're paying people for defensive technology, of the kind that many developers on HN could design without knowing much of anything about modern exploitation technology.
NOBODY is bidding for that kind of work. Google is the only company paying for it.
It would still be plenty great if Google provided its bug bounty for libpng or libjpeg. Oh, wait, they do: their own code depends on these libraries, which is why they picked them.
I agree that it is nice of google to offer to reward defensive reinforcement of some of the open source software they rely on. But I contend that this effort is unlikely to produce meaningful results that stand any chance at all of countering the R&D happening on the red teams.
On an equally motivated and skilled playing field, you would be correct. The bugs that will be exploited by meaningful adversaries will not be stopped by this effort. Latent exploitable bugs in most of the targeted mature software require significant, well-targeted compute to uncover. Google's incentives are insufficient to direct adequate resources toward the goal of making the internet a safe place for civilians.
I don't think Google is competing with the black market (on money) or trying to attract the people that already sell to the black market.
For many researchers in the world these reward programs ship a substantial amount of money.
And even if Google pays 20k for a bug and some cybermob promises 100k for an exploit. Are you really comfortable giving your bank account to those guys? Would you have to look up money laundering on the internet? And would you stop using the vulnerable Google product for yourself and tell those you hold dear to do the same?
The amount of legit money paid vs. the hassle and legal problems with selling on the black market even out very nicely for me, but I guess that depends on your priorities (and morals).
This video http://vimeo.com/54130349 (Bug Bounty Programs - Michael Coates, Chris Evans, Jeremiah Grossman, Adam Mein, Alex Rice) shows how great these companies are doing with these bug bounty programs. I'd welcome more companies to follow suit, both in bug bounty programs and hardening patches reward programs.
Again: this program isn't a bug bounty. A bug bounty pays you for specific vulnerabilities you find. This program pays you for code you write to address hypothetical vulnerabilities.
I like the intention -- making software more secure is really worthwhile.
The reward scheme is dubious though: I love working on open source because it's intrinsically rewarding. But if you try to pay me a few bucks, chances are I'll lose interest because my day job pays better.
I think we're seeing a taste of the future today. In a world where automation has taken over and there's not much work left for humans to do, we can basically get by on ad-hoc work to keep our robots running.
* OpenSSH
* BIND
* ISC DHCP
* libjpeg
* libjpeg-turbo
* libpng
* giflib
* Chromium
* Blink
* OpenSSL
* zlib
* "Security-critical, commonly used components of the Linux kernel (including KVM)"
This is so smart. Every part of it, but especially the targets they picked.