Google has announced updates to its existing Patch Reward Program. Beginning in 2020, Google will provide upfront financial support to select projects for improved security.
Google Patch Reward Program Update
In a recent blog post, Google has shared its plans for revamping the Patch Reward Program in the coming year. As mentioned by Jan Keller, Technical Program Manager, Security at Google, the tech giant will offer upfront financial support to some open-source projects.
Google Patch Reward Program started off in 2013 with an aim to assist open-source projects for internet-wide security. The projects qualifying for the program used to receive rewards after successful completion.
However, Google has now decided to support such projects with upfront financial help. The tech giant believes that this will help the developers prioritize security, especially startups.
If you are a small open source project and you want to improve security, but don’t have the necessary resources, this new reward can help you acquire additional development capacity.
The new reward offers support at two levels.
- Small: offering help for small-scale projects addressing fewer issues up to $5000. The scope includes things like the cleanup of integer artimetrics, improvements to privilege separation or sandboxing, or patching vulnerabilities in open-source software spotted by bug bounty programs.
- Large: Support up to $30,000 to large-scale projects needing substantial investment in security, such as hiring more developers or implementing new security features.
New Feature To Take Effect In 2020
The new reward will come into effect from January 1, 2020, as an extension to the existing one.
Under this program, Google will select a project from the nominations filed via the Project Nomination Form. The designated panel will make monthly selections and will directly collaborate with the chosen project maintainers.
Regarding the selection criteria, Google explained,
When selecting projects, the panel will put an emphasis on projects that either are vital to the health of the Internet or are end-user projects with a large user base.
In return, Google simply expects a pointer to acknowledge their support to assess the success of the program.
Recently, Google also announced an expansion to its Android bug bounty program to include Titan M. It subsequently raised the reward cap to $1.5 million.