Google is offering rewards as high as $3,133.70 for software updates that improve the security of OpenSSL, OpenSSH, BIND, and several other open-source packages that are critical to the stability of the Internet.

The program announced Wednesday expands on Google's current bug-bounty program, which pays from $500 to $3,133.70 to people who privately report bugs found in the company's software and Web properties. Security researchers inside the company considered modifying the program to reward bug reports in open-source software, but eventually decided against that approach. The reason: bug bounty programs often invite a flood of reports of varying quality that can overwhelm the finite resources of open-source developers. What's more, it's frequently much harder to patch a vulnerability than merely to find it.

"So we decided to try something new: provide financial incentives for down-to-earth, proactive improvements that go beyond merely fixing a known security bug," Michael Zalewski, a member of the Google security team, wrote in a blog post. "Whether you want to switch to a more secure allocator, to add privilege separation, to clean up a bunch of sketchy calls to strcat(), or even just enable ASLR—we want to help."

Beginning immediately, the program will offer rewards between $500 and $3,133.70 for security improvements to core infrastructure network services such as OpenSSH, BIND, and ISC DHCP; image parsers such as libjpeg and libjpeg-turbo; the open-source foundations of Google Chrome; the high impact code libraries OpenSSL and zlib; and security-critical, commonly used components of the Linux operating system kernel. Eventually, Google will pay for fixes to other open-source programs, including the Apache Web server, Sendmail e-mail service, and the OpenVPN virtual private networking app.

Code fixes should be submitted directly to the maintainers of the individual projects. Once the patch is accepted and merged into the repository, submitters should e-mail the details to security-patches@google.com. "If we think that the submission has a demonstrable, positive impact on the security of the project, you will qualify for a reward ranging from $500 to $3,113.70," Zalewski said. Official rules are here.