Initially the program included core infrastructure network services such as OpenSSH, BIND, ISC DHCP; image parsers such as libjpeg, libjpeg-turbo, libpng, giflib; open source foundations of Google Chrome (Chromium, Blink); high-impact libraries such as OpenSSL and zlib, and security-critical components of the Linux kernel (including the Kernel-based Virtual Machine).
Now the list of projects eligible for rewards also includes the Android Open Source Project, web servers such as Apache httpd, lighttpd, nginx; mail delivery services Sendmail, Postfix, Exim, and Dovecot; OpenVPN; University of Delaware NTPD; additional core libraries: Mozilla NSS, libxml2; and toolchain security improvements for GCC, binutils, and llvm.
As before, researchers are urged to submit code improvements and patches to the programs’ maintainers directly, and after the submission is included in the software’s code, it can be brought to Google’s attention and a reward panel will decide on the amount to award (usually between $500 to $3,133.7). Reactive patches that address a single, previously discovered vulnerability will not be eligible for rewards.
“We thought about simply kicking off an OSS bug-hunting program, but this approach can easily backfire. In addition to valid reports, bug bounties invite a significant volume of spurious traffic - enough to completely overwhelm a small community of volunteers. On top of this, fixing a problem often requires more effort than finding it,” explained Google security team member Michal Zalewski.
“So we decided to try something new: provide financial incentives for down-to-earth, proactive improvements that go beyond merely fixing a known security bug. Whether you want to switch to a more secure allocator, to add privilege separation, to clean up a bunch of sketchy calls to strcat(), or even just to enable ASLR - we want to help!”