Google announced plans today to revamp the six-year-old Patch Rewards program starting next year, in 2020.
The Patch Rewards program is one of Google's oldest security-minded projects. It was started in October 2013, when Google announced it would provide financial aid to open-source projects if they implemented security features.
Project maintainers had to apply, provide a plan for the feature they wanted to implement, and Google would commit to a financial reward that would be paid once the feature was implemented.
But, starting January 1, 2020, Google says it's changing how this program works and is now willing to provide financial aid upfront, even before projects implement the security features to which they commit.
The reason is that many open-source project maintainers prioritize features based on sponsorships they receive. This type of sponsorship is widely practiced in the FOSS (Free Open Source Software) community.
For example, if a company needs a particular feature in an open-source, the company usually donates to the project with the condition that the maintainers implement the feature they need with a higher priority, and before other features.
By its willingness to provide the funds upfront, Google is giving projects maintainers a way to fund their work and prioritize security features at the same time, rather than relying on donations from wealthy corporate entities.
According to Google, open-source project maintainers can request upfront funds via the Patch Rewards program for two types of security-related features and improvements:
Any open-source project can apply, Google said. All they have to do is fill out this form.
Google said a panel would review all submissions each month and select the projects they'll want to fund.
"When selecting projects, the panel will put an emphasis on projects that either are vital to the health of the Internet or are end-user projects with a large user base," said Jan Keller, Technical Program Manager for Security at Google.
To give readers an idea of what types of apps and libraries Google usually selects, the Patch Rewards program homepage lists the following open-source projects as in scope: