The idea of the program is to provide rewards for researchers to propose "proactive security improvements" in important open source projects. Rewards will range from $500 to $3,133.70.
The initial list of programs was:
- Core infrastructure network services: OpenSSH, BIND, ISC DHCP
- Core infrastructure image parsers: libjpeg, libjpeg-turbo, libpng, giflib
- Open-source foundations of Google Chrome: Chromium, Blink
- Other high-impact libraries: OpenSSL, zlib
- Security-critical, commonly used components of the Linux kernel (including KVM)
The new additions to the program are:
- All the open-source components of Android: Android Open Source Project
- Widely used web servers: Apache httpd, lighttpd, nginx
- Popular mail delivery services: Sendmail, Postfix, Exim, Dovecot
- Virtual private networking: OpenVPN
- Network time: University of Delaware NTPD
- Additional core libraries: Mozilla NSS, libxml2
- Toolchain security improvements for GCC, binutils, and llvm
Any patch that "...has a demonstrable, significant, and proactive impact on the security of one of the in-scope projects will be considered for a reward." The submission could be quite simple. The submitter must work through the open source project's maintainer to get the improvement incorporated into a shipping version of the program. At that point the programmer can submit it to Google.
The idea is similar to, through which the company awards as much as $50,000 for a defensive technique which would counter an attack technique that can bypass current attack mitigations. The reward may be smaller, but the opportunities in Google's program are much more plentiful.