This week, Google introduced a bug bounty for open source (a reward program for found vulnerabilities).
This bug bounty is intended for researchers who discover vulnerabilities in the company’s open-source projects.Let me remind you that Google’s bug bounty programs have been running for almost 12 years, and over time they have been extended to Android, Chrome, the Linux kernel, and so on. To date, the company has paid over $38 million in rewards to researchers.
For example, we also wrote that Google expands the bug bounty program and will pay for bugs in applications with 100 million installations, and also that Mozilla extends the bug bounty program and increases rewards.
The new program is called the Open Source Software Vulnerability Rewards Program (OSS VRP), and the maximum reward that can be received under the OSS VRP is $31,337, while the minimum is $100. Also, small incentives (approximately $1,000) can be paid for “particularly clever or interesting vulnerabilities.”
The new bug bounty program involves any programs that were updated to the latest version from the public GitHub repositories owned by Google organizations. Third-party dependencies of such projects are also included in the program, however, in this case, researchers will need to notify not only Google:
User Review
( votes)
