Google says it plans to be more proactive in its bug and
vulnerability hunting and is now offering money before patch work is completed,
as opposed to after the fact.
Security needs to be a proactive enterprise, which
usually means that companies such as Google have to fund bug-hunting programs
so that they know about the problems before they can cause a problem. The Patch
Rewards program for third-party open-source projects is a good example, and,
until now, it worked by rewarding developers for discovering vulnerabilities
and other issues.
One change Google is implementing in the Patch Rewards
program is to make it proactive. More precisely, it will pay the developers of
third-party open-source programs for security improvements.
“We’re not only going to reward proactive security improvements after the work is completed, but we will also complement the program with upfront financial support to provide an additional resource for open source developers to prioritize security work,” said Google’s Jan Keller, Technical Program Manager.
“For example, if you are a small open source project and
you want to improve security, but don’t have the necessary resources, this new
reward can help you acquire additional development capacity.”
For now, Google is offering two support levels. The smaller
one, of $5,000, is meant as an incentive for fixing vulnerabilities identified
in open source software by bug bounty programs such as EU-FOSSA 2.
The second tier is much bigger, at up to $30,000, and is
aimed at large projects that need to invest in hiring new developers or add new
The money will be attributed after a short nominalization
process and after the projects submit their plans for strengthening security. The
regular Patch Rewards program will continue unabated, with the current changes
working only as an addendum.