Google to Test Reward Program for Submitting Open Source Security Patches

You can make a fair bit of coin diving into code and rooting out vulnerabilities. In some instances, Microsoft will pay up to $100,000 for a single bug report, and Google's Vulnerability Reward Program routinely pays out thousands of dollars. It's a win-win situation, except when dealing with services that have only a small team of developers.

With that in mind, Google is trying something new. Going beyond vulnerability rewards, Google said it will start providing financial incentives for "down-to-earth, proactive improvements" that extend past simply fixing a known security bug for "key third-party software" that's key to the Internet's health. This could entail switching to a more secure allocator, adding privilege separation, and more.


"We thought about simply kicking off an OSS bug-hunting program, but this approach can easily backfire. In addition to valid reports, bug bounties invite a significant volume of spurious traffic - enough to completely overwhelm a small community of volunteers. On top of this, fixing a problem often requires more effort than finding it," Google stated in a blog post.

In short, create a patch for an open source project and you could be rewarded anywhere from $500 to $3,133.70. Google has already selected a handful of projects that qualify, among them being core infrastructure network services (OpenSSH, BIND, ISC DHCP), and will soon extend the program to even more.

Show comments blog comments powered by Disqus