Google is getting even more proactive about security. In a blog post on Monday, Google announced that it is expanding its Patch Reward program to pay users that uncover security flaws in Android.
Google launched its Patch program last month. At launch, it included the following project types:
- Core infrastructure network services: OpenSSH, BIND, ISC DHCP
- Core infrastructure image parsers: libjpeg, libjpeg-turbo, libpng, giflib
- Open-source foundations of Google Chrome: Chromium, Blink
- Other high-impact libraries: OpenSSL, zlib
- Security-critical, commonly used components of the Linux kernel (including KVM)
Now, in addition to these projects, Google has expanded the program to include:
- All the open-source components of Android: Android Open Source Project
- Widely used web servers: Apache httpd, lighttpd, nginx
- Popular mail delivery services: Sendmail, Postfix, Exim, Dovecot
- Virtual private networking: OpenVPN
- Network time: University of Delaware NTPD
- Additional core libraries: Mozilla NSS, libxml2
- Toolchain security improvements for GCC, binutils, and llvm
The idea behind the program is to provide financial incentive to users that discover and provide fixes for security holes in any of the projects listed above. According to Google, “Whether you want to switch to a more secure allocator, to add privilege separation, to clean up a bunch of sketchy calls to strcat(), or even just to enable ASLR – we want to help!”
That means that if you’re a motivated hacker, Google will now pay you for your findings – with rewards ranging from $500 to $3133.70. Noted hacker Pinkie Pie has already scooped up a bundle between the Patch program and hacking contests for fixing vulnerabilities in Google Chrome.
The addition of Android to the program is a big gain for mobile security, so get hacking. Just make sure to tell Google about it.