Google to Test Reward Program for Submitting Open Source Security Patches

You can make a fair bit of coin diving into code and rooting out vulnerabilities. In some instances, Microsoft will pay up to $100,000 for a single bug report, and Google's Vulnerability Reward Program routinely pays out thousands of dollars. It's a win-win situation, except when dealing with services that have only a small team of developers.

With that in mind, Google is trying something new. Going beyond vulnerability rewards, Google said it will start providing financial incentives for "down-to-earth, proactive improvements" that extend past simply fixing a known security bug for "key third-party software" that's key to the Internet's health. This could entail switching to a more secure allocator, adding privilege separation, and more.


"We thought about simply kicking off an OSS bug-hunting program, but this approach can easily backfire. In addition to valid reports, bug bounties invite a significant volume of spurious traffic - enough to completely overwhelm a small community of volunteers. On top of this, fixing a problem often requires more effort than finding it," Google stated in a blog post.

In short, create a patch for an open source project and you could be rewarded anywhere from $500 to $3,133.70. Google has already selected a handful of projects that qualify, among them being core infrastructure network services (OpenSSH, BIND, ISC DHCP), and will soon extend the program to even more.