News from the land of patch rewards
October 9th, 2014 | Published in Google Online Security
It’s been a year since we launched our Patch Reward program, a novel effort designed to recognize and reward proactive contributions to the security of key open-source projects that make the Internet tick. Our goal is to provide financial incentives for improvements that go beyond merely fixing a known security bug.
We hope that this list inspires even more contributions in the year to come. Of course, before participating, be sure to read the rules page. When done, simply send your nominations to . And keep up the great work!
We started with a modest scope and reward amounts, but have gradually expanded the program over the past few months. We’ve seen some great work so far—and to help guide future submissions, we wanted to share some of our favorites:
- Incorporation of a variety of web security checks directly into Django to help users develop safer web applications.
- A support for seccomp-bpf sandboxing in BIND to minimize the impact of remote code execution bugs.
- Addition of Curve25519 and several other primitives in OpenSSH to strengthen its cryptographic foundations and improve performance.
- A set of patches to reduce the likelihood of ASLR info leaks in Linux to make certain types of memory corruption bugs more difficult to exploit.
- And, of course, the recent attack-surface-reducing function prefix patch in bash that helped mitigate a flurry of “Shellshock”-related bugs.
We hope that this list inspires even more contributions in the year to come. Of course, before participating, be sure to read the rules page. When done, simply send your nominations to . And keep up the great work!
Posted by Michal Zalewski, Google Security Team