Google announces revamp of its Patch Rewards program for open-source security
Google LLC said today it’s planning to revamp its six-year-old Patch Rewards program for open-source software developers beginning next year.
Patch Rewards is one of Google’s oldest security programs. It began life in 2013 when the company said it would provide financial aid to developers of open-source projects that implement important security features.
In order to get paid, project maintainers would first have to apply and provide a plan for the feature they intended to implement. Google would then commit to providing a financial reward that would be paid out only after the feature was implemented.
But that will change starting Jan. 1, as Google said it’s now willing to pay out some rewards upfront, before the security features are delivered.
Jan Keller, a technical program manager at Google, explained why in a blog post today. Many open-source project maintainers prioritize the security features they’re working on based on the sponsorships they receive. Sponsorships generally come from companies that use open-source software and need a specific security feature to be implemented. To ensure it’s delivered as fast as possible, they make a donation to the project with the condition that their request is given a higher priority than other features.
This kind of sponsorship is widely practiced in the open-source software community, Keller said. By providing funds to maintainers upfront, Google said, it will help them to fund their work and prioritize security features without relying on donations.
Open-source maintainers can request funding from Google’s Patch Rewards program for both small and big security features and improvements.
In the former case, it offers rewards of up to $5,000 for fixes to small security issues, such as “improvements to privilege separation or sandboxing, cleanup of integer artimetrics, or more generally fixing vulnerabilities identified in open-source software by bug bounty programs such as EU-FOSSA 2.”
For the latter, Google is offering up to $30,000 for open-source maintainers who invest more heavily in security, such as by providing support to find additional developers, or by implementing significant new security features.
Keller said any open-source software project is eligible for Patch Rewards, though Google’s selection panel would place a bigger emphasis on projects it believes are vital to the health of the internet and those which have large user bases.
Open-source software maintainers can apply for Patch Rewards through this form.
Photo: Global Panorama/Flickr
Since you’re here …
Show your support for our mission with our one-click subscription to our YouTube channel (below). The more subscribers we have, the more YouTube will suggest relevant enterprise and emerging technology content to you. Thanks!
Support our mission: >>>>>> SUBSCRIBE NOW >>>>>> to our YouTube channel.
… We’d also like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.