Patch Rewards
Any patch (typically a merged GitHub pull request) that you can demonstrate to have improved the security of an in-scope project will be considered for a reward.
For more details on in-scope projects and qualifying submissions, see the information on this page and the program rules.
Examples
Example 1
Intelligent allowlist-based sandbox for OGNL evaluations within the Struts web framework.
Reward: $10,000 | Full descriptionExample 2
Patching rs/cors (DoS via malicious preflight requests).
Reward: $5,000 | Full description
Some examples of patches we've rewarded in the past (for more, see our repository of rewarded submissions on GitHub):
Reward amounts
01
$500
For our “one-liner special” for smaller improvements that still have a merit from the security standpoint.
02
$2,000
For submissions of modest complexity, or for ones that offer fairly speculative gains.
03
$7,500
For moderately complex patches that offer compelling security benefits.
04
$15,000
For complicated, high-impact improvements that almost certainly prevent major vulnerabilities in the affected code.
05
2x multiplier
For secure-by-design memory safety improvements in tier 1 projects, excluding the "one-liner special" category (until the end of 2025).
06
3x multiplier
For secure-by-design memory safety improvements in tier 1 projects scoped as "Core infrastructure data parsers", excluding the "one-liner special" category (until the end of 2025).
Below you can find an overview of the different reward categories applied to submitted patches (for tier 1 projects). For full details, see the Reward Amounts section of the Patch Rewards Program rules.