Security news that informs and inspires

Google to Pay for Security Upgrades in Open Source Projects

Google is modifying the reward program it has that provides rewards to open source projects for security improvements and will now give monetary support in advance for projects that don’t have the financial resources to do it on their own.

The patch reward program is an offshoot of Google’s vulnerability reward program, which pays researchers rewards for discovering and submitting security flaws in certain Google products and services. Google started the patch reward program in 2013 as a way to encourage the maintainers of open source projects to address security weaknesses. It doesn’t pay out money for fixing vulnerabilities, but rather rewards developers for hardening certain elements or eliminating known vulnerable libraries, for example.

Originally, the program required developers to submit their fixes to the maintainers of a given open source project and then submit it to Google later for consideration for a reward. Now, Google will provide money up front for some projects that want to undertake security improvements that they don’t have the money to handle. Beginning in January, Google will provide as much as $30,000 to projects, depending upon the scope of the challenge they’re tackling. The top end of the scale is reserved for large open source projects that need to make a significant change or bring in new developers.

For smaller projects Google will provide $5,000 for them to fix security problems such as improvements to sandboxing or patching vulnerabilities.

“Starting on January 1, 2020, we’re not only going to reward proactive security improvements after the work is completed, but we will also complement the program with upfront financial support to provide an additional resource for open source developers to prioritize security work. For example, if you are a small open source project and you want to improve security, but don’t have the necessary resources, this new reward can help you acquire additional development capacity,” Jan Keller, technical program manager for security at Google, said.

Many open source projects are developed and maintained by individual developers or small teams of volunteers, so the resources at their disposal typically are quite limited. Finding and fixing security vulnerabilities or implementing new security features can be expensive both in terms of time and development resources, so the financial support from Google could be a significant aid to the developers on those projects.

The new reward program is available to any open source project and Google’s evaluation panel will look at submissions every month to hand out the rewards.