Do you still doubt Google not taking Android security seriously? Well, here is the latest one. The search giant has extended its recently launched Patch Reward Program to cover other open source projects including Android. The program was announced last month to reward security improvements made to important open source projects.
Google once again reiterates its plan, “The goal is very simple: to recognize and reward proactive security improvements to third-party open-source projects that are vital to the health of the entire Internet.”
While kicking off its OSS bug-hunting program, Google announced financial incentives ranging from $500 to $3,133.70 for proactive improvements to a project that go beyond merely fixing a known security vulnerability.
The company launched its program with the following five project types:
• Core infrastructure network services: OpenSSH, BIND, ISC DHCP.
• Core infrastructure image parsers: libjpeg, libjpeg-turbo, libpng, giflib.
• Open-source foundations of Google Chrome: Chromium, Blink.
• Other high-impact libraries: OpenSSL, zlib.
• Security-critical, commonly used components of the Linux kernel (including KVM).
Google also said at the time that more project types would be on the way. And here they are:
• All the open-source components of Android: Android Open Source Project.
• Widely used Web servers: Apache httpd, lighttpd, nginx.
• Popular mail delivery services: Sendmail, Postfix, Exim, Dovecot.
• Virtual private networking: OpenVPN.
• Network time: University of Delaware NTPD.
• Additional core libraries: Mozilla NSS, libxml2.
• Toolchain security improvements for GCC, binutils, and llvm.
It is important to note here that Android was not originally included in the list of projects eligible for the Patch Reward Program.
As announced earlier, open source developers need to submit their patches directly to the maintainers of the individual projects. It should be merged into the source code repository of the project, and be part of a project release.
Once this process is completed, developers can go ahead and submit their patch to the Patch Reward Program.