Security Experts:

Google Adds OpenVPN, Apache to Patch Rewards Program

Google's push to ferret out security holes in external products has been expanded to include the OpenVPN and Apache https, two of the most widely deployed open-source programs.

The addition of the OpenVPN virtual private network and the Apache web server follows Google's October announcement to shell out cash rewards to hackers who find and responsibly report security vulnerabilities in non-Google products.

Software Security Vulnerability

The company is paying between $500 and $3,133.70, depending on the class and severity of the reported vulnerability.

According to Michal Zalewski from the Google Security Team, security improvements in third-party open-source programs "are vital to the health of the entire Internet."

In addition to OpenVPN and Apache, Google is expanding the program to include web servers lighttpd and nginx; mail delivery services Sendmail, Postfix, Exim and Dovecot; the open-source components of Android; and several key open-source technologies that handle reliability on the Internet. 

In October, the program launched with a challenge for hackers to find and report flaws in the following projects:

- Core infrastructure network services: OpenSSH, BIND, ISC DHCP

- Core infrastructure image parsers: libjpeg, libjpeg-turbo, libpng, giflib

- Open-source foundations of Google Chrome: Chromium, Blink

- Other high-impact libraries: OpenSSL, zlib

- Security-critical, commonly used components of the Linux kernel (including KVM)


Related Reading: Bug Bounty Programs More Cost-Effective Than Hiring Security Experts

view counter
Ryan is the host of the SecurityWeek podcast series "Security Conversations". He is the head of Kaspersky Lab's Global Research & Analysis team in the USA and has extensive experience in computer security user education, specializing in operating system and third-party application vulnerabilities, zero-day attacks, social engineering and social networking threats. Prior to joining Kaspersky Lab, he monitored security and hacker attack trends for over 10 years, writing for eWEEK magazine and the ZDNet Zero Day blog. Follow Ryan on Twitter @ryanaraine.