top | item 45066640

(no title)

securesaml | 6 months ago

Google has a program where you can submit patches to OSS projects (including libxslt) https://bughunters.google.com/about/rules/open-source/492808...

The patches need to fix a systemtic design flaw (which seems like you are trying to do).

You are eligible even if you are a contributor:

> Q: I'm a core developer working on one of the in-scope projects. Do my own patches qualify?

> A: They most certainly do.

Additionally, github has: https://resources.github.com/github-secure-open-source-fund/

Companies have changed after seeing the log4j incident and are open to funding open source security (but we still need more)

discuss

nwellnhof|6 months ago

I'm aware of the Patch Rewards program. The problem is that you have to complete the work first and then hope that you'll be rewarded. They also had a Security Subsidies program with upfront payments but this was discontinued in December 2024.

Github's program is restricted to Github repos, making it useless for many projects.