Google has decided that hackers could probably be better at finding its security vulnerabilities than its own engineers and has launched a reward program that pays up to $3,100 for each security flaw found.
The tech titan announced its expansion of its Patch Rewards program, which will enable hackers to find any security bugs in Google's properties including Android. "The goal is very simple: to recognize and reward proactive security improvements to third-party open-source projects that are vital to the health of the entire Internet," according to Michal Zalewski of the Google Security Team.
Those looking to make a little cash on the side (the bounty for each bug ranges from $500 to $3,133.70) should be looking at these projects:
- Core infrastructure network services: OpenSSH, BIND, ISC DHCP
- Core infrastructure image parsers: libjpeg, libjpeg-turbo, libpng, giflib
- Open-source foundations of Google Chrome: Chromium, Blink
- Other high-impact libraries: OpenSSL, zlib
- Security-critical, commonly used components of the Linux kernel (including KVM)
- All the open-source components of Android: Android Open Source Project
- Widely used web servers: Apache httpd, lighttpd, nginx
- Popular mail delivery services: Sendmail, Postfix, Exim, Dovecot
- Virtual private networking: OpenVPN
- Network time: University of Delaware NTPD
- Additional core libraries: Mozilla NSS, libxml2
- Toolchain security improvements for GCC, binutils, and llvm
Of course, there are rules, and they tend to be very specific, including how hackers must notify Google "maintainers" in order to be paid. Google is hoping that cash can crowdsource a solution to its security bugs, and in the meantime give bored hackers an incentive to help out.