[News]GOOGLE WILL NOW REWARD ANDROID DEVELOPERS TOO FOR SUBMITTING PATCHES TO AOSP FOR SECURITY

2 views
Skip to first unread message

Sanket Shah

unread,
Nov 20, 2013, 11:44:08 AM11/20/13
to indian-...@googlegroups.com

The Search giant Engine Google on October 9, 2013 announced a new, experimental program that rewards proactive security improvements to select Open-source projects.This effort complements and focuses their long-running vulnerability reward programs for Google web applications and for the new Google Chrome OS.The Official announcement on the Google’s Blog reads:

We all benefit from the amazing volunteer work done by the open source community. That’s why we keep asking ourselves how to take the model pioneered with our Vulnerability Reward Program - and employ it to improve the security of key third-party software critical to the health of the entire Internet

As per Google announcing only a Bug hunting program for the developers won’t generate specific volume of traffic for the same and could easily backfire it for them.So,Google will now reward the Developer who actually finds a Bug and reports the patch to Google’s Security Team.

What Programs are included in Patch Reward Program?

  • All the open-source components of Android: Android Open Source Project.(New addition)
  • Widely used Web servers: Apache httpd, lighttpd, nginx.
  • Popular mail delivery services: Sendmail, Postfix, Exim, Dovecot.
  • Virtual private networking: OpenVPN.
  • Network time: University of Delaware NTPD.
  • Additional core libraries: Mozilla NSS, libxml2.
  • Toolchain security improvements for GCC, binutils, and llvm.

These additions join the following five project types with which Google launched its program in October:

  • Core infrastructure network services: OpenSSH, BIND, ISC DHCP.
  • Core infrastructure image parsers: libjpeg, libjpeg-turbo, libpng, giflib.
  • Open-source foundations of Google Chrome:Chromium Project, Blink.
  • Other  libraries: OpenSSL, zlib.
  • Security-critical, commonly used components of the Linux kernel (including KVM).

What type of Submission are subjected to Qualifying ?

Any patch that has a demonstrable, significant, and proactive impact on the security of one of the in-scope projects will be considered for a reward

  • Improvements to privilege separation,
  • Memory allocator hardening,
  • Cleanups of integer arithmetics,
  • Systematic fixes for various types of race conditions,
  • Elimination of error-prone design patterns or library calls
Read More here at My blog post

Regards,
Sanket Shah
Reply all
Reply to author
Forward
0 new messages