Program Rules
On October 9, 2013, we announced a new, experimental program that rewards proactive security improvements to select open-source projects. This effort complements and extends our long-running vulnerability reward programs for Google web applications and for Google Chrome.
Projects in scope
We intend to roll out the program gradually, monitoring the quality of the received submissions and the feedback from the developer community. Currently, the scope is limited to the following projects:
Open-source foundations of Chrome and Android: Chromium, Blink, AOSP
Security-critical, commonly used components of the Linux kernel (including KVM)
High-profile web and mail servers: Apache httpd, lighttpd, nginx, Sendmail, Postfix, Exim, Dovecot
Other high-impact network services: OpenSSH, OpenVPN, BIND, ISC DHCP, University of Delaware NTPD
Core infrastructure data parsers: libjpeg, libjpeg-turbo, libpng, giflib, zlib, libxml2
Other essential libraries: OpenSSL, Mozilla NSS
Toolchain security improvements for GCC, binutils, and llvm
More info @ http://www.google.com/about/appsecurity/patch-rewards/