Earn Bounties with Google Patch Reward Program – Google Bug Bounty

What is the Google Patch Reward Program?

The Google Patch Reward Program is an initiative launched by Google to improve the security of key open-source projects. It incentivizes developers and security researchers to contribute security-related improvements by offering financial rewards, or bounties, for submitting patches that improve the security of designated open-source projects.

Instead of merely discovering vulnerabilities, the program encourages developers to actively contribute security patches to open-source projects, helping to make the internet ecosystem safer for all users.

How Developers Can Earn Bounties

1. Identify a Security Issue: Developers begin by identifying a security vulnerability or improvement within an open-source project included in the Patch Reward Program.
2. Submit a Security Patch: After identifying an issue, the developer fixes it and submits the patch to the maintainers of the project, adhering to their established contribution guidelines (typically via GitHub).
3. Submit a Report to Google: Once the patch is accepted and merged into the project, the developer submits a report to Google’s Patch Reward Program, including:
   • A description of the patch
   • The security issue being addressed
   • A link to the merged patch in the project’s repository
4. Evaluation: Google’s security team assesses the quality and impact of the patch. If approved, developers are awarded a bounty based on the patch’s complexity and the severity of the security improvement.

Bounty Amounts

The size of the bounty depends on the severity and impact of the patch, ranging from 500$  to 10,000$. Google’s evaluation considers:

• The severity of the security fix
• The project’s importance to the wider internet ecosystem
• The complexity and overall quality of the submitted patch

Projects Included in the Google Patch Reward Program

Google has compiled a list of widely used and important open-source projects that are eligible for the Patch Reward Program. Some notable projects include:

1. Linux Kernel: A vital component of many operating systems worldwide.
2. OpenSSL: A widely used cryptographic library that secures communications across the internet.
3. Apache: The most popular open-source web server software.
4. NGINX: A web server that also functions as a reverse proxy, load balancer, and HTTP cache.
5. Chromium: The open-source project behind Google Chrome, one of the world’s most used browsers.
6. BoringSSL: A Google-maintained fork of OpenSSL designed to enhance security.
7. Tsunami Security Scanner: An open-source security scanner created by Google that detects vulnerabilities in network services and web applications.

Tsunami Security Scanner Plugins

In addition to the main Tsunami scanner, developers can contribute to its plugin repository, Tsunami Security Scanner Plugins, which provides modular detection capabilities. This repository enables Tsunami to scan for vulnerabilities across a wide range of platforms, services, and configurations.

How to Contribute to Tsunami Security Scanner Plugins

1. Fork the Repository: Developers can fork the Tsunami Security Scanner Plugins GitHub repository and start working on creating new plugins or improving existing ones.
2. Identify a Vulnerability to Detect: Developers can focus on specific vulnerabilities, such as remote code execution (RCE), misconfigurations, or outdated software versions vulnerable to exploitation.
3. Create an issue in the repository: By providing all the information about the vulnerability.
4. Create Submission Form: Once the issue is approved by the Google Team, create a submission form.
5. Develop and Test the Plugin:  Developers should thoroughly test their plugin before submission to ensure that it accurately detects the targeted vulnerability and doesn’t produce false positives or negatives.
6. Submit a Pull Request: Once the plugin is complete and tested, it can be submitted as a pull request (PR) to the plugin repository, following Google’s contribution guidelines.
7. Get bounty: Once the PR is successfully merged, the developer is rewarded with a bounty.

Benefits of Contributing to Tsunami Security Scanner and Plugins

• Financial Rewards: Developers can earn bounties through Google’s Patch Reward Program for contributing security fixes and new detection modules.
• Career Recognition: Contributing to well-known security projects like Tsunami helps developers gain recognition in the open-source and security communities.
• Enhancing Security: By improving Tsunami’s ability to detect vulnerabilities, developers actively contribute to making networks and applications more secure across the internet.

Conclusion

The Google Patch Reward Program is an excellent opportunity for developers to contribute security patches to open-source projects while earning bounties. Projects like the Linux Kernel, OpenSSL, and Tsunami Security Scanner benefit from these contributions, which improve security for a vast range of users. For developers looking to dive into security contributions, Tsunami Security Scanner and its associated Plugins repository provide a clear path to improving security through writing plugins, fixing vulnerabilities, and making open-source software more resilient.

By contributing to these projects, developers not only earn rewards but also enhance their skills and help secure critical software that supports the internet’s infrastructure. If you are interested in security, the Google Patch Reward Program is a great way to get involved and make a difference.