The concept of a “bug bounty” program is well-known, but Google (News - Alert) is reportedly looking to go beyond the standard “fix a known security bug” concept of paying rewards for fixing issues by instead stepping it up to a whole new level. The new program calls for rewards for improvements made to certain segments of open-source software, and it's posing a whole new kind of challenge to those who would help the major company improve its software offerings.

Remarks from Google suggest that the program will come out on a gradual basis, and the speed at which the program will roll out will depend on several critical factors including the feedback received from developers and the overall quality of submissions that Google gets in the field. Further reports indicate that the program features rewards starting around the $500 level, going beyond that to the current top of $3,133.70, though that top may well change by the time it's all said and done.

The early run also has some very specific terms to it, with Google only offering the rewards in terms of certain projects. Among the list of targeted projects are core infrastructure network services, including OpenSSH, BIND, and ISC DHCP, as well as core infrastructure image parsers giflib, libpng, and both libjpeg and libjpeg-turbo. Further impacted by Google's new plan are the open-source foundations of Chrome itself, including both Blink and Chromium, as well as high-impact libraries like OpenSSL and zlib. Finally, there's a part for the most-used portions of the Linux kernel, like KVM, and a full list can be had with Google along with more specific rules pertaining to this program.

However, at last report, there are plans to expand the program further to several other sectors, including the OpenVPN virtual private networking system, SMTP services like Exim, Postfix and Sendmail, major Web server programs like nginx, lighttpd and Apache httpd, and even toolchain improvements on things like GCC, llvm and binutils.

Reports suggest that Google had originally considered a program rewarding the finding and removal of OSS bugs in general, but discarded that possibility due to the ease with which such a program could “backfire,” generating traffic that would overwhelm small numbers of volunteers. But Google isn't just looking for bugs to be found; Google also wants said bug hunters to fix the bugs in question, not just spot said bugs and pass the information up the ladder.

Further reports suggest that Google has previously paid out over $2 million on security rewards after just three years running, and over 2,000 bugs have been fixed. The combination of offering sufficiently worthwhile cash rewards to keep researchers interested plus stepping up the number of fields for which reward will be offered is the kind of combination that should ultimately prove more than worthwhile for Google, and for its users. It's seldom a bad idea to have a second set of eyes going over any project that comes out, be it anything from a novel to a security program, so Google's program is likely to pay dividends on several fronts for the foreseeable future in terms of improved user experience and retained market share.