Open Source Security Subsidies Rules
As of December 2024, the Security Subsidies program has been discontinued. Our commitment to supporting security-related work in the open source space remains unchanged: We encourage you to submit your completed security patches to our Patch Rewards Program.
In contrast to Patch Rewards, which reward proactive security improvements after the work has been completed, Open Source Security Subsidies offer upfront financial support to provide an additional resource for open source developers to prioritize security work. For example, if you are a small open source project and you want to improve security, but don't have the necessary resources, an Open Source Security Subsidy can help you acquire additional development capacity.
We currently offer two support levels:
Small ($5,000): Meant to motivate and reward a project for fixing a small number of security issues. Examples: improvements to privilege separation or sandboxing, cleanup of integer arithmetics, or more generally fixing vulnerabilities identified in open source software by bug bounty programs such as EU-FOSSA 2 (see ‘Qualifying submissions’ here for more examples).
Large ($30,000): Meant to incentivize a larger project to invest heavily in security, e.g. providing support to find additional developers, or implement a significant new security feature (e.g. new compiler mitigations).
Nomination process
Anyone can nominate an open source project for support by filling out (link removed). Our Patch Reward Panel reviews submissions on a monthly basis and selects a number of projects that meet the program criteria. The panel lets applicants know if a project has been chosen and starts working with the project maintainers directly.
Projects in scope
Any open source project can be nominated for support. When selecting projects, the panel places emphasis on projects that are either vital to the health of the Internet or are end-user projects with a large user base.
What do we expect in return?
We expect to see security improvements to open source software. Ideally, the project can provide us with a short blurb or pointers to some of the completed work that was possible because of our support. We don't want to add bureaucracy, but would like to measure the success of the program.
What about the existing Patch Rewards program?
This is an addition to the existing Patch Rewards program which continues to be available.