A new Google bug bounty program now covers Open Source projects

Pierluigi Paganini August 30, 2022

Google this week launched a new bug bounty program that covers the open source projects of the IT giant.

Google launched a new bug bounty program as part of the new Open Source Software Vulnerability Rewards Program (OSS VRP) that covers the source projects of the IT giant.

The company will pay up to $31,337 for vulnerabilities in its projects, while its lowest payout will be $100.

Google is one of the largest contributors and users of open source, it maintains popular projects such as Bazel, Angular, Golang, Protocol buffers, and Fuchsia.

“With the addition of Google’s OSS VRP to our family of Vulnerability Reward Programs (VRPs), researchers can now be rewarded for finding bugs that could potentially impact the entire open source ecosystem.” reads the announcement published by the company.

Google bug bounty

Google launched the original VRP program twelve years ago, over time, the company’s program has covered additional products and services such as the Chrome browser and the Android OS. The company confirmed that collectively, its programs have rewarded more than 13,000 submissions, totaling over $38M paid. 

The new bug bounty program aims to secure the code used in the company’s open source and reduce the risk of rising supply chain attacks.

“Last year saw a 650% year-over-year increase in attacks targeting the open source supply chain, including headliner incidents like Codecov and Log4Shell that showed the destructive potential of a single open source vulnerability.” continues the company. “Google’s OSS VRP is part of our $10B commitment to improving cybersecurity, including securing the supply chain against these types of attacks for both Google’s users and open source consumers worldwide.”

The program focuses on all up-to-date versions of open source software stored in the public repositories of Google-owned GitHub organizations (eg. Google, GoogleAPIs, GoogleCloudPlatform).

The program also covers third-party dependencies of these projects, but the announcement states that researchers will have to send a prior notification to the affected dependency.

Google encourages white hat hackers and bug hunters to submit vulnerabilities that lead to supply chain compromise, design issues, and other security issues such as sensitive or leaked credentials, weak passwords, or insecure installations

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, bug bounty)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment