Google applies bug bounty model to open-source projects

The search giant will reward large security improvements to open-source projects that power the internet.

After handing out millions of dollars in security bug bounties , Google is extending the model to reward security improvements made to a selection of open-source projects.

This new program, dubbed Patch Rewards, is focused on patches that have a "demonstrable, significant, and proactive impact" on security, rather than rewarding developers for bug fixes, as the current Vulnerability Reward Program does.

"We thought about simply kicking off an OSS bug-hunting program, but this approach can easily backfire," wrote Michal Zalewski of the Google security team in a blog post.

"In addition to valid reports, bug bounties invite a significant volume of spurious traffic — enough to completely overwhelm a small community of volunteers.

"On top of this, fixing a problem often requires more effort than finding it."

For a patch to be eligible for payment, it must be submitted directly to the maintainers of a selected project, merged into the source code repository of the project, and be part of a project release. Only after that process is complete can developers submit their patch to the Patch Reward program.

Should a project reject a patch, the developer will have no recourse to apply to Google for payment, with the search giant saying the sole decision to accept a patch is up to maintainers of open-source projects.

"Given the nature of the program, we do not wish to second-guess the decisions of those managing the project," the company said.

Examples given by Google of improvements that would qualify for Patch Rewards are: Improvements to privilege separation, Memory allocator hardening, cleanups of integer arithmetics, systematic fixes for various types of race conditions, elimination of error-prone design patterns, and library calls.

"Reactive patches that merely address a single, previously discovered vulnerability will typically not be eligible for rewards," says the Patch Rewards page.

The first announcements of valid projects are OpenSSH, BIND, ISC DHCP, libjpeg, libpng, giflib, Chromium, Blink, OpenSSL, zlib, and "Security-critical, commonly used components" of the Linux kernel.

In the next few weeks, Google intends to add Apache httpd, lighttpd, nginx, Sendmail, Postfix, Exim, GCC, binutils, llvm, and OpenVPN to the program.

Developers on any of these open-source projects are eligible for payment from Google.

Rewards range from $500 to $3,133.70, depending on the "demonstrable, positive impact on the security of the project" that a patch has, as judged by a panel from Google's security team.

Show Comments