News

Google Launches Open Source Bug Bounty Program

This week, Google introduced a bug bounty for open source (a reward program for found vulnerabilities).

This bug bounty is intended for researchers who discover vulnerabilities in the company’s open-source projects.

Let me remind you that Google’s bug bounty programs have been running for almost 12 years, and over time they have been extended to Android, Chrome, the Linux kernel, and so on. To date, the company has paid over $38 million in rewards to researchers.

For example, we also wrote that Google expands the bug bounty program and will pay for bugs in applications with 100 million installations, and also that Mozilla extends the bug bounty program and increases rewards.

The new program is called the Open Source Software Vulnerability Rewards Program (OSS VRP), and the maximum reward that can be received under the OSS VRP is $31,337, while the minimum is $100. Also, small incentives (approximately $1,000) can be paid for “particularly clever or interesting vulnerabilities.”

Last year, open source attacks on the supply chain increased by 650% year-over-year, including issues such as Codecov and Log4Shell, which demonstrated the destructive potential that just one open source vulnerability can have.Google writes.

The new bug bounty program involves any programs that were updated to the latest version from the public GitHub repositories owned by Google organizations. Third-party dependencies of such projects are also included in the program, however, in this case, researchers will need to notify not only Google:

Please report bugs to the direct owner of the vulnerable package first and ensure the issue is upstream resolved before reporting the details of the vulnerability to us.the company explains.
Google is urging researchers to focus on vulnerabilities that lead to supply chain compromise, on design issues that give rise to bugs in products, and also on security issues, including credential leaks and weak passwords.
Sending
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Sending

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Back to top button