top | item 27973191

(no title)

bostondavidvc | 4 years ago

Whoa, this kind of impressed me (linked from the blog post) https://bughunters.google.com/about/patch-rewards

Payouts for security-positive improvements to security-critical OSS projects:

* $20,000 for setting up continuous fuzzing with OSS-Fuzz

* $10,000 for high-impact improvements that prevent major classes of vulnerabilities

but the low end of the scale is kind of neat too:

* "$1,337 for submissions of modest complexity, or for ones that offer fairly speculative gains."

* "$500 our "one-liner special" for smaller improvements that still have a merit from the security standpoint."

... and you can qualify for these even if your day job is working on one of these OSS projects!

> Q: I'm a core developer working on one of the in-scope projects. Do my own patches qualify?

> A: They most certainly do.

Neat stuff.

(Googler here, but I don't work on the VRP.)

discuss

Trias11|4 years ago

1. Press [Submit]

2. Thank you for your submission, that was already known issue.

biryani_chicken|4 years ago

Will project maintainers avoid writing issue tickets before sending the patch to this platform?

heavyset_go|4 years ago

> https://bughunters.google.com/about/patch-rewards

> (Googler here, but I don't work on the VRP.)

The URL that you posted doesn't render correctly on Firefox 90 for Linux.

HenryKissinger|4 years ago

They need to mltiply these amounts by 50x. Cybersec researchers make 6-7 figures. 20k is almost nothing.

H8crilA|4 years ago

Not sure why you're downvoted, but the $3M/year total rewards payoff is likely smaller than the corporate administrative and developer time (for review) costs. I.e. if this was a charity it would pay out less than 50 cents on the dollar.

fooker|4 years ago

Not everyone can move from wherever they are to the Bay area though.