Google announced plans today to revamp the six-year-old Patch Rewards program starting next year, in 2020.
The Patch Rewards program is one of Google's oldest security-minded projects. It was started in October 2013, when Google announced it would provide financial aid to open-source projects if they implemented security features.
Project maintainers had to apply, provide a plan for the feature they wanted to implement, and Google would commit to a financial reward that would be paid once the feature was implemented.
Changes scheduled for next year
But, starting January 1, 2020, Google says it's changing how this program works and is now willing to provide financial aid upfront, even before projects implement the security features to which they commit.
The reason is that many open-source project maintainers prioritize features based on sponsorships they receive. This type of sponsorship is widely practiced in the FOSS (Free Open Source Software) community.
For example, if a company needs a particular feature in an open-source, the company usually donates to the project with the condition that the maintainers implement the feature they need with a higher priority, and before other features.
By its willingness to provide the funds upfront, Google is giving projects maintainers a way to fund their work and prioritize security features at the same time, rather than relying on donations from wealthy corporate entities.
New Patch Rewards rules
According to Google, open-source project maintainers can request upfront funds via the Patch Rewards program for two types of security-related features and improvements:
- Small ($5,000): Meant to motivate and reward a project for fixing a small number of security issues. Examples: improvements to privilege separation or sandboxing, cleanup of integer artimetrics, or more generally fixing vulnerabilities identified in open source software by bug bounty programs such as EU-FOSSA 2.
- Large ($30,000): Meant to incentivize a larger project to invest heavily in security, e.g. providing support to find additional developers, or implement a significant new security feature (e.g. new compiler mitigations).
Any open-source project can apply, Google said. All they have to do is fill out this form.
Google said a panel would review all submissions each month and select the projects they'll want to fund.
"When selecting projects, the panel will put an emphasis on projects that either are vital to the health of the Internet or are end-user projects with a large user base," said Jan Keller, Technical Program Manager for Security at Google.
To give readers an idea of what types of apps and libraries Google usually selects, the Patch Rewards program homepage lists the following open-source projects as in scope:
- Open-source foundations of Chrome and Android: Chromium, Blink, Omaha, AOSP(aka Android)
- Security-critical, commonly used components of the Linux kernel (including KVM)
- High-profile web and mail servers: Apache httpd, lighttpd, nginx, Sendmail, Postfix, Exim, Dovecot
- Other high-impact network services: OpenSSH, OpenVPN, BIND, ISC DHCP, University of Delaware NTPD
- Core infrastructure data parsers: libjpeg, libjpeg-turbo, libpng, giflib, zlib, libxml2
- Other essential libraries: OpenSSL, Mozilla NSS
- The reference implementation of Certificate Transparency and its open-source dependencies
- Toolchain security improvements for GCC, binutils, and llvm
- Security-relevant bits of common package managers: yum, apt, pip, npm
- Popular web frameworks and libraries: Angular, Closure, Dart, Django, Dojo Foundation, Ember, GWT, Go, Jinja (Werkzeug, Flask), jQuery, Knockout, Polymer, Struts, Web2py, Wicket
- Widespread decompression libraries: zlib, bzip2, tar, gzip, info-zip, cpio, xz, 7z, p7zip, ncompress, lzo
- Critical software used for cloud computing: Envoy proxy
- Projects integrated into OSS-Fuzz