On 10/10/13 11:01, Gervase Markham wrote:
http://googleonlinesecurity.blogspot.co.uk/2013/10/going-beyond-vulnerability-rewards.html
Google are now paying people, retrospectively, for any patch that
improves the security of OpenSSH, BIND, ISC DHCP, libjpeg,
libjpeg-turbo, libpng, giflib, Chromium, Blink, OpenSSL, zlib and
commonly used components of the Linux kernel (including KVM).
Soon, they will also cover Apache httpd, lighttpd, nginx, Sendmail,
Postfix, Exim, GCC, binutils, llvm and OpenVPN.
This includes the core developers of those projects!
Some of this work (e.g. on libjpeg or zlib) will benefit us directly.
Other work (e.g. on OpenSSH) will benefit us indirectly, as we use those
tools and want them to be secure. However, the inclusion of
Chromium/Blink means that this program may steal potential security
contributors from Mozilla and attract them to those projects.
Can we and should we attempt to do anything about that?
Gerv, how about asking Google to add NSS to the list of projects that
are in-scope for this new rewards program?
I believe Chromium still uses NSS for TLS, and so NSS would qualify for
the "Open-source foundations of Google Chrome" category.
Firefox uses NSS, and this alone makes NSS a "high-impact library".
And I think that "down-to-earth, proactive improvements that go beyond
merely fixing a known security bug" describes the insanity::pkix effort
rather well!
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
