Google has been supporting open source projects with rewards under its Patch Reward Program since October 2013. The main focus of the program is to not only implement security protocols in open source projects but also enhance them as the project matures. It is part of Google’s contribution to making the overall web healthy and secure for users.
According to Google’s security blog, they are introducing a new iteration of the Patch Reward Program next year. The program will now cover the projects during their initial incubation state too. Previously, the program only included projects that have already been implemented.
Starting in January 2020, the Patch Reward Program will provide necessary financial support to the developers of open source projects to enhance their network security. The financial help will serve as a resource for the main developers to prioritize the security work only. Initially, the program will only have two levels, but Google will add more to this as time passes.
Small ($5000 USD)
If the project has only a handful of security issues, it will qualify under the small category, where only $5000 USD will be provided to the selected projects. The scope of the project is not taken into consideration if the program only has minor bugs, and the selection team thinks that the project does not require more funds. Any security bug caught by the EU-FOSSA 2 program falls under this category.
Large ($30,000 USD)
This segment is to incentivize substantial investments in security protocols for big projects. It will provide support for adding new developers or for implementing a significant new security patch, such as adding another compiler mitigation program.
The nomination process for the program is the same as before. Anyone can apply for the program through the link here, and Google’s Patch Reward Panel will review submissions every month. The panel directly contacts the program maintainers if the program is selected.