Google has launched a new program that will pay rewards for bugs found in its open source projects.
The Open Source Vulnerability Reward Program (opens in a new tab) (OSS VRP) is the latest addition to the tech giant’s existing VRPs offering cash for discovery.
The company says its first VRP, targeting people who helped secure Google’s code, was one of the first in the world. Already in the second decade of operations, Google wants to emphasize its commitment to supporting security researchers and bug hunters.
Google OSS errors
Google says VRPs cover different Chrome and Android codes as part of the company’s broader operations, which has paid out over $ 38 million in over 13,000 premiums from a total of 84 countries.
In addition, Google has pledged to invest $ 10 billion in improving cybersecurity among its own users and consumers of open source software.
Google lists Codecov and Log4j as two of the most important incidents contributing to a 650% year-on-year increase in OSS supply chain attacks last year.
Google Security blog (opens in a new tab) says the OSS VRP focuses on “all up-to-date versions” of OSS stored in Google’s GitHub organizational spaces such as GoogleAPI and GoogleCloudPlatform, although the “top prizes” are reserved for the most sensitive projects that Google sets out to be Bazel, Angular, Golang, protocol buffers and fuchsia; a list that should expand after initial program implementation.
Targets for all hunters include: “vulnerabilities that compromise the supply chain; design problems that cause product gaps; [and] other security issues such as confidential or disclosed credentials, weak passwords or insecure installations ”.
Prizes range from a meager $ 100 to a substantial $ 31,337 depending on the severity of the vulnerability detected, however any errors found that do not specifically relate to this VRP will not be wasted, and Google promises to redirect any findings to the appropriate VRP (and pool cash).