Google adds Android and Apache to open source security rewards programme

Google has extended its Patch Reward Program to include a raft of new platforms and technologies including its own Android system as it looks to improve the securiry of open source software.
The firm announced an overhaul to its security patch policies last month, offering white hats up to $3,133 for fixes.
Google said this would be extended to more platforms before the end of the year and information security engineer for Google Michal Zalewski confirmed the new areas covered by the programme in a blog post.
"The goal is very simple: to recognise and reward proactive security improvements to third-party open-source projects that are vital to the health of the entire internet," he wrote in the post. “We started with a fairly conservative scope, but said we would expand the program soon.”
Zalewski listed the new areas covered as: Android, Apache httpd, lighttpd, nginx, Sendmail, Postfix, Exim, GCC, binutils, llvm, and OpenVPN.
This is almost identical to the original list set out by Google, although it includes some additional platforms. These are: "Network time: University of Delaware NTPD", "Additional core libraries: Mozilla NSS, libxml2" and "Toolchain security improvements for GCC, binutils, and llvm".
The announcement comes at a busy time for security reward programmes after Yahoo was humbled into improving its own service by offering $15,000, rather than t-shirts and caps. Microsoft has also improved its programme to provde payments of up to $100,000 for early alerts about active cyber incidents.
This allows security professionals to benefit from spotting attacks in the wild, rather than finding their own methods for breaking into systems.