top | item 15713924

(no title)

Wow! That's really impressive. Seems like a _lot_ of work and ingenuity went into this.

It's great that large, corporate projects like Chrome OS are attracting the sustained attention necessary to find bugs such as this one. But I worry that projects without such deep pockets are crowded out, leaving bugs unreported. Are many people doing security audits of open source projects without bug bounties?

discuss

delroth|8 years ago

Google has been doing something close to bug bounties for many "critical" open source projects. Instead of focusing on bugs however, the Patch Rewards focuses on countermeasures: integrating a project into OSSFuzz, adding sandboxing, etc.

https://www.google.com/about/appsecurity/patch-rewards/

woodrowbarlow|8 years ago

one avenue for many smaller projects (especially open source libraries) is to become a dependency of a huge project like chrome. then the larger project redirects some of their auditing efforts toward your project.