Google LLC said today it’s planning to revamp its six-year-old Patch Rewards program for open-source software developers beginning next year.

Patch Rewards is one of Google’s oldest security programs. It began life in 2013 when the company said it would provide financial aid to developers of open-source projects that implement important security features.

In order to get paid, project maintainers would first have to apply and provide a plan for the feature they intended to implement. Google would then commit to providing a financial reward that would be paid out only after the feature was implemented.

But that will change starting Jan. 1, as Google said it’s now willing to pay out some rewards upfront, before the security features are delivered.

Jan Keller, a technical program manager at Google, explained why in a blog post today. Many open-source project maintainers prioritize the security features they’re working on based on the sponsorships they receive. Sponsorships generally come from companies that use open-source software and need a specific security feature to be implemented. To ensure it’s delivered as fast as possible, they make a donation to the project with the condition that their request is given a higher priority than other features.

This kind of sponsorship is widely practiced in the open-source software community, Keller said. By providing funds to maintainers upfront, Google said, it will help them to fund their work and prioritize security features without relying on donations.

Open-source maintainers can request funding from Google’s Patch Rewards program for both small and big security features and improvements.

In the former case, it offers rewards of up to $5,000 for fixes to small security issues, such as “improvements to privilege separation or sandboxing, cleanup of integer artimetrics, or more generally fixing vulnerabilities identified in open-source software by bug bounty programs such as EU-FOSSA 2.”

For the latter, Google is offering up to $30,000 for open-source maintainers who invest more heavily in security, such as by providing support to find additional developers, or by implementing significant new security features.

Keller said any open-source software project is eligible for Patch Rewards, though Google’s selection panel would place a bigger emphasis on projects it believes are vital to the health of the internet and those which have large user bases.

Open-source software maintainers can apply for Patch Rewards through this form.

Photo: Global Panorama/Flickr