Google has revealed an expansion to its Vulnerability Reward Program (VRP). It is designed to encourage privately reporting security flaws in open source software in exchange for monetary rewards.
Google has pledged support for OpenSSF's Package Analysis Project for open source packages uploaded to popular repositories. It has also published the results which paint a rather interesting picture.