Google to Test Reward Program for Submitting Open Source Security Patches
With that in mind, Google is trying something new. Going beyond vulnerability rewards, Google said it will start providing financial incentives for "down-to-earth, proactive improvements" that extend past simply fixing a known security bug for "key third-party software" that's key to the Internet's health. This could entail switching to a more secure allocator, adding privilege separation, and more.
"We thought about simply kicking off an OSS bug-hunting program, but this approach can easily backfire. In addition to valid reports, bug bounties invite a significant volume of spurious traffic - enough to completely overwhelm a small community of volunteers. On top of this, fixing a problem often requires more effort than finding it," Google stated in a blog post.
In short, create a patch for an open source project and you could be rewarded anywhere from $500 to $3,133.70. Google has already selected a handful of projects that qualify, among them being core infrastructure network services (OpenSSH, BIND, ISC DHCP), and will soon extend the program to even more.