November 18, 2013

Even more patch rewards!

About a month ago, we kicked off our Patch Reward Program. The goal is very simple: to recognize and reward proactive security improvements to third-party open-source projects that are vital to the health of the entire Internet.

We started with a fairly conservative scope, but said we would expand the program soon. Today, we are adding the following to the list of projects that are eligible for rewards:

  • All the open-source components of Android: Android Open Source Project
  • Widely used web servers: Apache httpd, lighttpd, nginx
  • Popular mail delivery services: Sendmail, Postfix, Exim, Dovecot
  • Virtual private networking: OpenVPN
  • Network time: University of Delaware NTPD
  • Additional core libraries: Mozilla NSS, libxml2
  • Toolchain security improvements for GCC, binutils, and llvm

For more information about eligibility, reward amounts, and the submission process, please visit this page. Happy patching!


  1. Great to here that!

    Does discovering and fixing (sending patch to maintainer) security flaw in mentioned software will also be eligible for reward? After all it's also security improvement.


  2. The vulnerability program to improve security on third party software is a great idea. The open source community wants to improve software in the security area. The financial incentive that your team would provide has great potential to advance the program. The patched that are submitted could be a major benefit to the programs listed. Is Google model going forward to open source?


You are welcome to contribute comments, but they should be relevant to the conversation. We reserve the right to remove off-topic remarks in the interest of keeping the conversation focused and engaging. Shameless self-promotion is well, shameless, and will get canned.

Note: Only a member of this blog may post a comment.