Google says it plans to be more proactive in its bug and vulnerability hunting and is now offering money before patch work is completed, as opposed to after the fact.
Security needs to be a proactive enterprise, which usually means that companies such as Google have to fund bug-hunting programs so that they know about the problems before they can cause a problem. The Patch Rewards program for third-party open-source projects is a good example, and, until now, it worked by rewarding developers for discovering vulnerabilities and other issues.
One change Google is implementing in the Patch Rewards program is to make it proactive. More precisely, it will pay the developers of third-party open-source programs for security improvements.
“We’re not only going to reward proactive security improvements after the work is completed, but we will also complement the program with upfront financial support to provide an additional resource for open source developers to prioritize security work,” said Google’s Jan Keller, Technical Program Manager.
“For example, if you are a small open source project and you want to improve security, but don’t have the necessary resources, this new reward can help you acquire additional development capacity.”
For now, Google is offering two support levels. The smaller one, of $5,000, is meant as an incentive for fixing vulnerabilities identified in open source software by bug bounty programs such as EU-FOSSA 2.
The second tier is much bigger, at up to $30,000, and is aimed at large projects that need to invest in hiring new developers or add new security features.
The money will be attributed after a short nominalization process and after the projects submit their plans for strengthening security. The regular Patch Rewards program will continue unabated, with the current changes working only as an addendum.