Google has announced plans to reward developers for proactive security improvements for select open source projects.
Initially, these include core infrastructure network services such as OpenSSH, core infrastructure image parsers such as Libjpeg, open source foundations of Google Chrome, high-impact libraries such as OpenSSL and security-critical components of the Linux kernel.
The internet firm said the initiative aims to improve the security of key third-party software critical to the health of the internet.
The new scheme offers rewards of between $500 and $3,000 for any patch that has “a demonstrable, significant, and proactive impact” on the security of one of the in-scope projects.
Adjudicators will be looking for things such as improvements to privilege separation, memory allocator hardening and the elimination of error-prone design patterns.
More on security reward schemes
- UK security researcher first to win top Microsoft bounty
- Microsoft pays out $128K to security bug hunters
- Microsoft offers cash rewards for security bug hunters
- Facebook pays security bug bounty hunters $40,000 in three weeks
- Mozilla extends bug bounty to Web application vulnerabilities
- Thales offers £50,000 bounty for airport security ideas
But Google said reactive patches that merely address a single, previously discovered vulnerability will not be eligible for rewards.
To qualify, patches must first be submitted directly to the maintainers of the project, and developers must work with them to have it accepted into the repository and incorporated into the program.
Google decided against creating a bounty programme for finding bugs in open source code because of fears of being overwhelmed by “spurious traffic”, said Michal Zalewski of Google's security team.
“We decided to try something new: provide financial incentives for down-to-earth, proactive improvements that go beyond merely fixing a known security bug,” he wrote in Google’s security blog.
Although Google has limited the scope of the qualifying open source project to begin with, the firm plans to extend the initiative to include web servers such as Apache, SMTP services such as Sendmail and virtual private network software such as OpenVPN.