Google’s push to ferret out security holes in external products has been expanded to include the OpenVPN and Apache https, two of the most widely deployed open-source programs.
The addition of the OpenVPN virtual private network and the Apache web server follows Google’s October announcement to shell out cash rewards to hackers who find and responsibly report security vulnerabilities in non-Google products.
The company is paying between $500 and $3,133.70, depending on the class and severity of the reported vulnerability.
According to Michal Zalewski from the Google Security Team, security improvements in third-party open-source programs “are vital to the health of the entire Internet.”
In addition to OpenVPN and Apache, Google is expanding the program to include web servers lighttpd and nginx; mail delivery services Sendmail, Postfix, Exim and Dovecot; the open-source components of Android; and several key open-source technologies that handle reliability on the Internet.
In October, the program launched with a challenge for hackers to find and report flaws in the following projects:
– Core infrastructure network services: OpenSSH, BIND, ISC DHCP
– Core infrastructure image parsers: libjpeg, libjpeg-turbo, libpng, giflib
– Open-source foundations of Google Chrome: Chromium, Blink
– Other high-impact libraries: OpenSSL, zlib
– Security-critical, commonly used components of the Linux kernel (including KVM)
Related Reading: Bug Bounty Programs More Cost-Effective Than Hiring Security Experts

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.
More from Ryan Naraine
- VMware Plugs Critical Flaws in Network Monitoring Product
- Keep Aware Raises $2.4M to Eliminate Browser Blind Spots
- OpenAI Unveils Million-Dollar Cybersecurity Grant Program
- Galvanick Banks $10 Million for Industrial XDR Technology
- Microsoft Catches Chinese .Gov Hackers Targeting US Critical Infrastructure
- Researchers Spot APTs Targeting Small Business MSPs
- Mikrotik Belatedly Patches RouterOS Flaw Exploited at Pwn2Own
- Red Hat Pushes New Tools to Secure Software Supply Chain
Latest News
- Blackpoint Raises $190 Million to Help MSPs Combat Cyber Threats
- Google Introduces SAIF, a Framework for Secure AI Development and Use
- ‘Asylum Ambuscade’ Group Hit Thousands in Cybercrime, Espionage Campaigns
- Evidence Suggests Ransomware Group Knew About MOVEit Zero-Day Since 2021
- SaaS Ransomware Attack Hit Sharepoint Online Without Using a Compromised Endpoint
- Google Cloud Now Offering $1 Million Cryptomining Protection
- Democrats and Republicans Are Skeptical of US Spying Practices, an AP-NORC Poll Finds
- Consolidate Vendors and Products for Better Security
