Google’s new program offers security researchers money if they find vulnerabilities in its open-source projects or the libraries those projects depend on.