Google is rolling out its Vulnerability Reward Program.

They plan to provide financial incentives for down-to-earth, proactive improvements that go beyond merely fixing a known security bug.


They intend to roll out the program gradually, based on the quality of the received submissions and the feedback from the developer community. For the initial run, we decided to limit the scope to the following projects:

• Core infrastructure network services: OpenSSH, BIND, ISC DHCP
• Core infrastructure image parsers: libjpeg, libjpeg-turbo, libpng, giflib
• Open-source foundations of Google Chrome: Chromium, Blink
• Other high-impact libraries: OpenSSL, zlib
• Security-critical, commonly used components of the Linux kernel (including KVM)

They intend to soon extend the program to:

• Widely used web servers: Apache httpd, lighttpd, nginx
• Popular SMTP services: Sendmail, Postfix, Exim
• Toolchain security improvements for GCC, binutils, and llvm
• Virtual private networking: OpenVPN

You can submit your patches directly to the maintainers of the individual projects. Once your patch is accepted and merged into the repository, please send all the relevant details to security-patches@google.com.