Google will now pay bounties for open source software bugs

>

Google has launched a new program that will pay bounties for bugs found in its open source projects. 

The Open Source Software Vulnerability Rewards Program (opens in new tab) (OSS VRP) is the latest addition to the tech giant’s existing VRPs offering up cash for discoveries.

The company says that its first VRP, aimed at those who helped secure Google’s code, was one of the first in the world. Already in its second decade of operation, Google is keen to highlight its commitment to supporting security researchers and bug hunters.

Google OSS bugs

Google says the VRPs cover various Chrome and Android code across the company’s wider operations, which have resulted in over $38 million being paid out to more than 13,000 contributions, from a total of 84 countries.

Furthermore, Google has pledged to invest $10 billion to improve cybersecurity among its own users and open source software consumers. 

Google cites Codecov and Log4j as two of the most prominent incidents which have contributed to last year’s 650% year-on-year increase in OSS supply chain-targeted attacks. 

Google’s Security Blog (opens in new tab) says the OSS VRP focuses on “all up-to-date versions” of OSS stored in the Google-owned GitHub organization spaces, such as GoogleAPIs and GoogleCloudPlatform, though the “top awards” are reserved for the most sensitive projects, which Google sets out to be Bazel, Angular, Golang, Protocol buffers, and Fuchsia; a list that’s expected to expand after the initial program rollout.

The targets for any hunters include: “vulnerabilities that lead to supply chain compromise; design issues that cause product vulnerabilities; [and] other security issues such as sensitive or leaked credentials, weak passwords, or insecure installations.”

Rewards range from a measly $100 to a substantial $31,337, depending on the severity of the vulnerability uncovered, however any applicable bugs that are found that do not relate specifically to this VRP shall not be wasted, with Google promising to redirect any findings to the relevant VRP (and pot of cash). 

Related Post