1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

News from the land of patch rewards

Discussion in 'Google Online Security Blog' started by RSS, Mar 24, 2015.

  1. RSS

    RSS New Member Member

    It’s been a year since we launched our Patch Reward program, a novel effort designed to recognize and reward proactive contributions to the security of key open-source projects that make the Internet tick. Our goal is to provide financial incentives for improvements that go beyond merely fixing a known security bug.

    We started with a modest scope and reward amounts, but have gradually expanded the program over the past few months. We’ve seen some great work so far—and to help guide future submissions, we wanted to share some of our favorites:
    • Addition of Curve25519 and several other primitives in OpenSSH to strengthen its cryptographic foundations and improve performance.
    • A set of patches to reduce the likelihood of ASLR info leaks in Linux to make certain types of memory corruption bugs more difficult to exploit.
    • And, of course, the recent attack-surface-reducing function prefix patch in bash that helped mitigate a flurry of “Shellshock”-related bugs.

    We hope that this list inspires even more contributions in the year to come. Of course, before participating, be sure to read the rules page. When done, simply send your nominations to security-patches@google.com. And keep up the great work!

    Posted by Michal Zalewski, Google Security Team
    [​IMG] [​IMG]

    Continue reading...

Share This Page