Google offering $3,000 bounty for open-source bug patches

Open-source projects are a wild west of bugs and security issues, and Google has just put a bounty of their heads.

The search giant this week announced a cash reward programme for intrepid programmers who craft substantial patches for select open-source projects.

Designed to encourage "proactive security improvements," Google will offer between $500 (£313) and $3,133 (£1,960) for patches that meet certain qualifications. Submitted code must show significant beneficial changes, not just individual bug fixes, and more complex code is worth more cash.

Eligible patches include "cleanups of integer arithmetics," "memory allocator hardening," and "improvements to privilege separation." Patches must also be approved by the project's maintainers before being sent to Google for consideration.

Developers that enter can choose to remain anonymous and even submit patches for their own projects.

As Google rolls out the initiative, it is keeping the scope of projects open for bug bounty hunting fairly narrow.

Currently, the list is limited to core infrastructure network services and image parsers, open-source foundations of Google Chrome, high-impact libraries like OpenSSL, and security-critical components of Linux. Soon though, Google plans to include "common web servers, SMTP daemons, and more."

The programme is actually an extension of an earlier Vulnerability Reward Program Google launched in November 2010 and continues to run. That scheme focuses on finding glitches within Google's own web services, like YouTube, Blogger, and Google itself, and offers rewards as high as $20,000 (£12,500).

Google's open-source patch rewards page features a more detailed breakdown of the programme, including legal and tax information.