Google Offer OSS Patch Bounty to Fixers

Google offer OSS bug bounty to fixers
Google offer OSS bug bounty to fixers

Attitudes are changing in the post-Snowden world – and one of the big winners is likely to be open source software (OSS). Caspar Bowden, a former chief privacy officer with Microsoft, recently told the audience of a privacy conference in Switzerland that he only uses open source software, where he can examine the underlying code. He is concerned about backdoors inserted by or for government agencies, and believes that open source will make life harder for adversaries.

Bruce Schneier takes a similar view: "In particular, we need open protocols, open implementations, open systems – these will be harder for the NSA to subvert." 

In a question and answer session with Guardian readers, James Ball, asked if OSS could be secure, and described both the strength and weakness of security in OSS. "Anything done [by attackers] to open source projects, particularly popular ones, will have to be subtle, as anyone can audit the code. So I do believe they’re more trustworthy/dependable than other things." But Ball also explained the big problem with OSS: "almost nothing is certain, and we see quite regularly bugs/vulnerabilities discovered in major open source projects that have lain undiscovered for months." 

The question, then, is how can the general security of OSS be improved, maintained and protected from undiscovered flaws. While proprietary software developers have started to offer 'bug bounties' to persuade and reward independent researchers for finding these undiscovered flaws in their own software (Microsoft recently paid $100,000 for a mitigation bypass technique), this approach simply doesn't work for OSS. 

Now Google has come up with a novel approach – not so much a bug bounty as a patch bounty. "We thought about simply kicking off an OSS bug-hunting program, but this approach can easily backfire," explained Michael Zalewski in a Google blog this week. "In addition to valid reports, bug bounties invite a significant volume of spurious traffic – enough to completely overwhelm a small community of volunteers."

Instead, Google will be providing financial incentives for the open source community to find and fix bugs, or simply improve the security of the application. "Whether you want to switch to a more secure allocator, to add privilege separation, to clean up a bunch of sketchy calls to strcat(), or even just to enable ASLR – we want to help!" says Google.

The open source community will retain control. Patches are to be submitted to the maintainers of the individual projects. Only when they are accepted and merged into the code repository do they become eligible for Google's bounty – which could be anything from $500 to $3,133.7. In theory, an adversary could still attempt to slip weakened code or a back door into OSS, but it would be very difficult to get past the bounty offered to find and fix it.

The purpose, says Zalewski, is "to improve the security of key third-party software critical to the health of the entire Internet." The program will be rolled out gradually, starting with projects such as OpenSSH, BIND, ISC DHCP, security-critical components of the Linux kernel such as KVM, and including the open source foundations of Chrome: Chromium and Blink. In time the company hopes to expand the program to include other projects such as Apache, Sendmail and OpenVPN.

The open source community is likely to welcome the new program. It "is not only an innovative approach in increasing software quality and security," explains Amol Sarwate, director of Vulnerability Labs at Qualys, "but is a win-win situation for everyone. In addition to focusing the energy of the security community on finding vulnerabilities with bug bounty programs this program attempts to find approaches so that those vulnerabilities do not occur in the first place. 

"The software that Google is targeting is not only Google products but also open source products that are the backbone of today’s internet, like OpenSSH, OpenSSL, BIND, ISC DHCP and the Linux kernel. The best part is that Google wants developers to send code improvements directly to the project maintainer and not to Google. Once improvements are accepted by the project maintainer, Google will reward people based on their contribution. This will ensure that there are no patches floating around that claim to fix bugs but in reality may break something or even have new vulnerabilities. In short, it's a win-win for the open source community."

What’s Hot on Infosecurity Magazine?