Google has been a long time rewarder of those who find security related bugs in its Chrome web browser, in fact it has been known to give out as much as $60,000 per bug to security researchers who were able to demonstrate an exploit in Chrome during a Google organized competition. Last month Google extended its reward scheme to include patches submitted to open source projects that improved the security of that project. The initial list of supported projects included OpenSSH, BIND and OpenSSL.
This week Google has announced that it is extending this new Patch Reward Program to cover other open source projects including Android! The Patch Reward Program is intended to be more than just a open source bug hunt, but rather a way to provide real financial incentives for coders who submit patches that proactively improve the security of a project. In other words fixing a known security vulnerability doesn’t qualify, but if a developer adds code to improve security, for example by adding privilege separation or by enabling Address Space Layout Randomization (ASLR) etc., then they qualify.
The way it works is this, patches need to be submitted to the maintainers of the open source project, like AOSP, and then Google needs to be notified about the patch and what it does. If Google reckons the patch has a positive impact on security then the developer will get a reward ranging from $500 to $3,133.7.
By including Android in this scheme Google are yet again proving that it takes Android security seriously. Android 4.3 included several security enhancements, as did Android 4.4 and since Google moved the Verify Apps feature, which scans any apps that are being installed and blocks the harmful ones, from the OS into the Google Play Services, every Android user from Android 2.3 onwards can rest assured that malicious apps can’t be easily installed on their device, regardless of the installation source.
Other projects now eligible for the Patch Reward Program are Apache httpd, Sendmail, Postfix, Exim, Dovecot, OpenVPN, GCC, binutils, and LLVM.