Google launches rewards program for open source software bugs
Want Google to give you $31,000? You just need to find the right software vulnerability, as the tech giant is launching a new rewards program for anyone who spots a bug in its major open-source software projects.
Since the new program is focused only on Google’s major open-source software projects, all the code is available for anyone to peruse. Admittedly, you will need a lot of expert knowledge to find the vulnerabilities.
Open source rewards like this are fairly rare, but Google’s software in particular has been targeted by supply chain attackers in recent years.
So how much money can you earn?
The program comes with a cap on how much you can earn by finding a loophole: rewards range from $100 to $31,337. The more severe the vulnerability, the higher the reward for bringing it to Google’s attention.
The biggest rewards are reserved for the “most sensitive projects”, which are currently Bazel, Angular, Golang, Protocol buffers and Fuchsia. Google says to check back, as they plan to add more once the initial rollout is complete.
This type of program isn’t new in programming circles these days, though Google was among the first big companies to create one 12 years ago: also called “bug bounty” rewards programs like Google help businesses get a lot more focus on a project.
Google must be pleased with the results, as it has paid out more than $38 million on 13,000 submissions since it started offering the programs.
Why Open Source Software Matters
The open source supply chain is an increasingly important target for attackers: in 2021, this specific type of attack jumped 650% year over year.
The Log4j incident is a prime example of why open source vulnerabilities are so bad. A single opening can give a hacker the ability to do massive damage.
Small businesses can stay secure by using SSO and a good password manager, but Google takes security so seriously that the new rewards program is just one part of a $10 billion pledge that the company takes to ensure supply chain security.
