Google to Pay for Free Software Patches

Google doesn't own open-source applications such as OpenSSH, Linux and Chromium, but it will gladly pay you money to make them more secure.

If you find vulnerabilities in certain high-profile open-source programs and find ways to patch them, Google could pay you more than $3,000.

Companies often pay bug hunters to find vulnerabilities in their software, and add a little extra incentive if the hackers can also develop patches.

However, Google wants to cut right to the chase and pay only for patches for open-source vulnerabilities.

"Bug bounties invite a significant volume of spurious traffic" from people who only think they've discovered a flaw, wrote Michal Zalewski of the Google Security Team in a blog post yesterday (Oct. 9). "Fixing a problem often requires more effort than finding it."

MORE: 40 Best Google Chrome Extensions

Zalewski put out a call for "down-to-earth, proactive improvements that go beyond merely fixing a known security bug."

The language gets a bit technical after this, but Zalewski's general proposal boils down to developing patches that make an overall program more compartmentalized and secure, rather than just finding one specific flaw and devoting vast amounts of time and money to fixing it.

Open-source software is developed and maintained by unpaid volunteers, and the software is freely available to anyone. Google's cash offerings give a bit more incentive to programmers working on improvements to some of the most widely used bit of open-source code.

At present, Google wants fixes for the following pieces of software: OpenSSH, BIND, ISC DHCP, libjpeg, libjpeg-turbo, libpng, giflib, Chromium, Blink, OpenSSL, zlib and parts of the Linux kernel.

Those may sound like alphabet soup to most readers, but the programs include network protocols, cross-platform image parsers, Google Chrome browser components, a security standard, a compression library and the core of the Linux operating system.

In the near future, Google will open up the bounty program to work on Web servers (Apache, lighttpd, nginx), outgoing mail services (Sendmail, Postfix, Exim), virtual private networks (OpenVPN) and miscellaneous programming tools (GCC, binutils, llvm).

If you successfully patch one of these programs, shoot an email to security-patches@google.com, and you could earn anywhere between $500 and $3,133.70. (The second number is not arbitrary; that's just Internet jargon for "elite" or "excellent.")

Offering rewards for open-source vulnerability patches is both self-serving and magnanimous on Google's part. The company uses a great deal of open-source software in its Chrome browser and Android mobile operating system, not to mention on the tens of thousands of Linux servers that power Google Search and Gmail.

As with all open-source software, fixes to any application or tool will benefit any user or company that uses it. About a third of all Web servers run on Linux, and open-source software is used on many of the rest.

A more secure Internet is never a bad thing, and if you have an interest in security, you could make quite a bit of scratch while making a useful program better for everyone. Whatever it is that you like, chances are that $3,133.70 can buy an awful lot of it.

Follow Marshall Honorof @marshallhonorof. Follow us @tomsguide, on Facebook and on Google+.

TOPICS
Marshall Honorof

Marshall Honorof is a senior editor for Tom's Guide, overseeing the site's coverage of gaming hardware and software. He comes from a science writing background, having studied paleomammalogy, biological anthropology, and the history of science and technology. After hours, you can find him practicing taekwondo or doing deep dives on classic sci-fi. 

Latest in Online Security
A person trying to set up a new Wi-Fi router
Thousands of TP-Link routers have been infected by a botnet to spread malware
An image of a CAPTCHA
Hackers are using reCAPTCHA to trick users into infecting their own PCs with malware — how to stay safe
A smartphone screen displaying the Android name and logo next to a sign reading 'MALWARE'.
Fake Google Play Store pages are spreading Trojan malware that can steal your financial data
Best antivirus software
How does antivirus software work
and image of the Google Chrome logo on a laptop
Google Chrome at risk from shape-shifting browser extensions — how to stay safe
Green skull on smartphone screen.
Over 1 million Android devices infected with password-stealing, pre-installed botnet malware — how to stay safe
Latest in News
Jean Smart as Deborah Vance and Hannah Einbinder as Ava Daniels in Hacks
Max reveals 'Hacks' season 4 release date and trailer — here's when it's coming
Google Pixel 5 review
Google Pixel 10 lineup leaked in new renderings — here's what they look like
A person trying to set up a new Wi-Fi router
Thousands of TP-Link routers have been infected by a botnet to spread malware
Nintendo Switch 2 promo image
Nintendo Switch 2 patent hints at a major improvement — and it could be the reason for the mysterious “C” button
Cruel Intentions on Prime Video
Amazon cancels 'Cruel Intentions' after one season on Prime Video
(L-R) Adeline Rudolph and Jack Kesy in "Hellboy: The Crooked Man" (2024).
Hulu top 10 movies — here's what you need to be watching right now
  • jhansonxi
    "Open-source software is developed and maintained by unpaid volunteers..."
    Some is, not all. Most of the developers of high-profile non-game software are employed by companies that use the software they work on.
    Reply