[bostondavidvc]

Whoa, this kind of impressed me (linked from the blog post) https://bughunters.google.com/about/patch-rewards

Payouts for security-positive improvements to security-critical OSS projects:

* $20,000 for setting up continuous fuzzing with OSS-Fuzz

* $10,000 for high-impact improvements that prevent major classes of vulnerabilities

but the low end of the scale is kind of neat too:

* "$1,337 for submissions of modest complexity, or for ones that offer fairly speculative gains."

* "$500 our "one-liner special" for smaller improvements that still have a merit from the security standpoint."

... and you can qualify for these even if your day job is working on one of these OSS projects!

> Q: I'm a core developer working on one of the in-scope projects. Do my own patches qualify?

> A: They most certainly do.

Neat stuff.

(Googler here, but I don't work on the VRP.)

[Trias11]

1. Press [Submit]

2. Thank you for your submission, that was already known issue.

[biryani_chicken]

Will project maintainers avoid writing issue tickets before sending the patch to this platform?

[heavyset_go]

> https://bughunters.google.com/about/patch-rewards

> (Googler here, but I don't work on the VRP.)

The URL that you posted doesn't render correctly on Firefox 90 for Linux.

[HenryKissinger]

They need to mltiply these amounts by 50x. Cybersec researchers make 6-7 figures. 20k is almost nothing.

[H8crilA]

Not sure why you're downvoted, but the $3M/year total rewards payoff is likely smaller than the corporate administrative and developer time (for review) costs. I.e. if this was a charity it would pay out less than 50 cents on the dollar.

[tptacek]

I downvoted because "cybersec researchers" do not in fact routinely make 7 figures. For strong pentester types reporting the typical (real) vulnerability the VRP handles, the median is probably in the low 6's.

[na85]

6 figures from breaking systems and reporting them responsibly?

Sounds amazing, what's the catch?

[tptacek]

There's no catch. You want a job as a pentester. That job is in high demand.

[kasey_junk]

Frankly low 6 figures sounds low for a software job. How do you attract talent at that level?

[fooker]

Not everyone can move from wherever they are to the Bay area though.