A new Google bug bounty program now covers Open Source projects

Google this week launched a new bug bounty program that covers the open source projects of the IT giant.

Google launched a new bug bounty program as part of the new Open Source Software Vulnerability Rewards Program (OSS VRP) that covers the source projects of the IT giant.

The company will pay up to $31,337 for vulnerabilities in its projects, while its lowest payout will be $100.

Google is one of the largest contributors and users of open source, it maintains popular projects such as Bazel, Angular, Golang, Protocol buffers, and Fuchsia.

“With the addition of Google’s OSS VRP to our family of Vulnerability Reward Programs (VRPs), researchers can now be rewarded for finding bugs that could potentially impact the entire open source ecosystem.” reads the announcement published by the company.

Google launched the original VRP program twelve years ago, over time, the company’s program has covered additional products and services such as the Chrome browser and the Android OS. The company confirmed that collectively, its programs have rewarded more than 13,000 submissions, totaling over $38M paid.

The new bug bounty program aims to secure the code used in the company’s open source and reduce the risk of rising supply chain attacks.

“Last year saw a 650% year-over-year increase in attacks targeting the open source supply chain, including headliner incidents like Codecov and Log4Shell that showed the destructive potential of a single open source vulnerability.” continues the company. “Google’s OSS VRP is part of our $10B commitment to improving cybersecurity, including securing the supply chain against these types of attacks for both Google’s users and open source consumers worldwide.”

The program focuses on all up-to-date versions of open source software stored in the public repositories of Google-owned GitHub organizations (eg. Google, GoogleAPIs, GoogleCloudPlatform).

The program also covers third-party dependencies of these projects, but the announcement states that researchers will have to send a prior notification to the affected dependency.

Google encourages white hat hackers and bug hunters to submit vulnerabilities that lead to supply chain compromise, design issues, and other security issues such as sensitive or leaked credentials, weak passwords, or insecure installations

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, bug bounty)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.