The open source projects for whose patches researchers can get rewarded are currently core infrastructure network services such as OpenSSH, BIND, ISC DHCP; image parsers such as libjpeg, libjpeg-turbo, libpng, giflib; open source foundations of Google Chrome (Chromium, Blink); high-impact libraries such as OpenSSL and zlib, and security-critical components of the Linux kernel (including the Kernel-based Virtual Machine).
In the coming weeks and months, the program will include popular webservers, SMTP services, OpenVPN, GCC, binutils, llvm, and more.
"We thought about simply kicking off an OSS bug-hunting program, but this approach can easily backfire," explained Google security team member Michal Zalewski. "In addition to valid reports, bug bounties invite a significant volume of spurious traffic - enough to completely overwhelm a small community of volunteers. On top of this, fixing a problem often requires more effort than finding it."
The company explained that this time there will be no rewards for fixing individual bugs, because "quite a few vulnerabilities trace back to preventable coding mistakes, or are made easier to exploit due to the absence of simple mitigation techniques," and they are hoping to improve security from the bottom up.
All in all, on this particular program, Google will have little to do with the actual submissions, as the researchers are asked to submit the patches directly to the maintainers of each of the aforementioned projects.
Once a submission is accepted and included in the final code of the software, the researchers can submit the entry to Google, and the reward panel will decide how big a reward it deserves - usually from $500 to $3,133.7, but occasionally even higher it the submission is "unusually clever or complex".
Examples of qualifying submissions include improvements to privilege separation, memory allocator hardening, cleanups of integer arithmetics, systematic fixes for various types of race conditions, and elimination of error-prone design patterns or library calls.