On October 9, 2013, we announced a new, experimental program that rewards proactive security improvements to select open-source projects. This effort complements and extends our long-running vulnerability reward programs for Google web applications and for Google Chrome.
Projects in scope
We intend to roll out the program gradually, monitoring the quality of the received submissions and the feedback from the developer community. Currently, the scope is limited to the following projects:
Open-source foundations of Chrome and Android: Chromium, Blink, AOSP Security-critical, commonly used components of the Linux kernel (including KVM) High-profile web and mail servers: Apache httpd, lighttpd, nginx, Sendmail, Postfix, Exim, Dovecot Other high-impact network services: OpenSSH, OpenVPN, BIND, ISC DHCP, University of Delaware NTPD Core infrastructure data parsers: libjpeg, libjpeg-turbo, libpng, giflib, zlib, libxml2 Other essential libraries: OpenSSL, Mozilla NSS Toolchain security improvements for GCC, binutils, and llvm