In early October Google launched its patch reward program that awards members of the open source community for making security improvements to open source projects. The program was designed to more than just a open source bug hunting exhibition but rather a way to provide financial incentives for proactive security enhancements that go beyond fixing a known security vulnerability.
The project started out quite small in scope with Google only considering patches for projects like OpenSSH, BIND, ISC DHCP, libjpeg, libjpeg-turbo, libpng, giflib and OpenSSL. To qualify patches need to be submitted to the maintainers of the individual projects and then Google need to be notified about the improvements. If Google considers the submission has a positive impact on security then the coder qualifies for a reward ranging from $500 to $3,133.7.
Now after almost six weeks of running the initial program Google has announced that it is ready to expand the program to include more open source projects including Android. The full list of new projects now eligible for rewards are:
- All the open-source components of Android: Android Open Source Project
- Widely used web servers: Apache httpd, lighttpd, nginx
- Popular mail delivery services: Sendmail, Postfix, Exim, Dovecot
- Virtual private networking: OpenVPN
- Network time: University of Delaware NTPD
- Additional core libraries: Mozilla NSS, libxml2
- Toolchain security improvements for GCC, binutils, and llvm
The inclusion of Android is interesting as it shows that Google is keen to continue making security improvements to its very popular mobile operating system. Recently Google has added SELinux and nosuid protection to Android as well as creating a free built-in service called Verify Apps. Available for all versions of Android from 2.3 onwards, Verify Apps behaves very much like an antivirus scanner and blocks the installation of malicious software, regardless of the source.
In the past Android has been seen as less secure than Apple’s iOS primarily because Android allows users to install apps from anywhere not just from Google’s Play Store. Since Apple maintains a walled garden and only allows apps into its store after rigorous testing it means that malware scares have been less prominent on iOS. Vendors of Android security software suites seem to constantly write sensational headlines about how many new variants of Android malware are being created each month. Although technically they are right, users who stick to Google’s Play Store shouldn’t be in any danger.