Google has launched a new program that will pay bounties for bugs found in its open source projects.
The Open Source Software Vulnerability Rewards Program (opens in a new tab) (OSS VRP) is the latest addition to the tech giant’s existing VRPs offering money for discoveries.
The company says its first VRP, for those who helped secure Google’s code, was one of the first in the world. Already in its second decade of activity, Google is keen to emphasize its commitment to supporting security researchers and bug hunters.
Google OSS bugs
Google says VRPs cover various Chrome and Android code across the company’s broader operations, resulting in more than $38 million being paid out to more than 13,000 contributions, from a total of 84 countries.
Additionally, Google has pledged to invest $10 billion to improve cybersecurity for its own users and consumers of open source software.
Google cites Codecov and Log4j as two of the most significant incidents that contributed to the 650% year-over-year increase in attacks targeting the OSS supply chain.
from google Safety Blog (opens in a new tab) indicates that the OSS VRP focuses on “all up-to-date versions” of OSS stored in Google-owned GitHub organizational spaces, such as GoogleAPI and GoogleCloudPlatform, although the “top rewards” are reserved for the most more responsive, which Google defines as Bazel, Angular, Golang, protocol buffers, and Fuchsia; a list that is expected to grow after the initial rollout of the program.
Targets for all hunters include: “vulnerabilities that lead to supply chain compromise; design issues that cause product vulnerabilities; [and] other security issues such as sensitive or leaked credentials, weak passwords, or insecure installations.
Rewards range from a paltry $100 to a hefty $31,337, depending on the severity of the vulnerability discovered, but any applicable bugs found that do not relate specifically to this VRP will not be wasted, with Google promising to redirect all VRP (and kitty).