Google expands Patch Rewards Program

Developers who can make security improvements to an important open source project get money from Google. More open source projects are now in the program.

Michal Zalewski of the Google Security Team has announced in a Google Online Security Blog entry that the company has expanded the reach of their Patch Rewards Program.

Google announced the program last month.  The idea of the program is to provide rewards for researchers to propose "proactive security improvements" in important open source projects. Rewards will range from $500 to $3,133.70.

The initial list of programs was:

  • Core infrastructure network services: OpenSSH, BIND, ISC DHCP
  • Core infrastructure image parsers: libjpeg, libjpeg-turbo, libpng, giflib
  • Open-source foundations of Google Chrome: Chromium, Blink
  • Other high-impact libraries: OpenSSL, zlib
  • Security-critical, commonly used components of the Linux kernel (including KVM)

The new additions to the program are:

  • All the open-source components of Android: Android Open Source Project
  • Widely used web servers: Apache httpd, lighttpd, nginx
  • Popular mail delivery services: Sendmail, Postfix, Exim, Dovecot
  • Virtual private networking: OpenVPN
  • Network time: University of Delaware NTPD
  • Additional core libraries: Mozilla NSS, libxml2
  • Toolchain security improvements for GCC, binutils, and llvm

Any patch that "...has a demonstrable, significant, and proactive impact on the security of one of the in-scope projects will be considered for a reward." The submission could be quite simple. The submitter must work through the open source project's maintainer to get the improvement incorporated into a shipping version of the program. At that point the programmer can submit it to Google.

The idea is similar to  Microsoft's Blue Hat Bonus for Defense program , through which the company awards as much as $50,000 for a defensive technique which would counter an attack technique that can bypass current attack mitigations. The reward may be smaller, but the opportunities in Google's program are much more plentiful.