Google’s push to ferret out security holes in external products has been expanded to include the OpenVPN and Apache https, two of the most widely deployed open-source programs.
The addition of the OpenVPN virtual private network and the Apache web server follows Google’s October announcement to shell out cash rewards to hackers who find and responsibly report security vulnerabilities in non-Google products.
The company is paying between $500 and $3,133.70, depending on the class and severity of the reported vulnerability.
According to Michal Zalewski from the Google Security Team, security improvements in third-party open-source programs “are vital to the health of the entire Internet.”
In addition to OpenVPN and Apache, Google is expanding the program to include web servers lighttpd and nginx; mail delivery services Sendmail, Postfix, Exim and Dovecot; the open-source components of Android; and several key open-source technologies that handle reliability on the Internet.
In October, the program launched with a challenge for hackers to find and report flaws in the following projects:
– Core infrastructure network services: OpenSSH, BIND, ISC DHCP
– Core infrastructure image parsers: libjpeg, libjpeg-turbo, libpng, giflib
– Open-source foundations of Google Chrome: Chromium, Blink
– Other high-impact libraries: OpenSSL, zlib
– Security-critical, commonly used components of the Linux kernel (including KVM)
Related Reading: Bug Bounty Programs More Cost-Effective Than Hiring Security Experts