Google is adding to its bounty program that pays for the discovery of application vulnerabilities.
On Tuesday the company launched the Open Source Software Vulnerability Rewards Program (OSS VRP) to reward discoveries of bugs in Google’s open source projects.
That covers all up-to-date versions of open source software (including repository configuration settings such as GitHub Actions) stored in the public repositories of Google-owned GitHub organizations (such as Google, GoogleAPIs, Google Cloud Platform, as well as projects that Google maintains, such as the Golang Go programming language, the Angular web developers platform and the Fuchsia operating system.
“The addition of this new program addresses the ever more prevalent reality of rising supply chain compromises,” Google said. “Last year saw a 650 per cent year-over-year increase in attacks targeting the open source supply chain, including headliner incidents like Codecov and the Log4j vulnerability that showed the destructive potential of a single open source vulnerability.
“Google’s OSS VRP is part of our US$10 billion commitment to improving cybersecurity, including securing the supply chain against these types of attacks for both Google’s users and open source consumers worldwide.”
The overall program includes rewards for finding vulnerabilities in Google products such as Chrome, Android, Pixel smartphones, the Google Nest line of smart home products, Fitbit smartwatches, certain apps in the Google Play store, and other areas. Over the past 12 years, this program has rewarded more than 13,000 submissions, with over US$38 million paid out.
The new program not only focuses on Google’s open source projects but also those projects’ third-party dependencies (with prior notification to the affected dependency required before submission to Google’s OSS VRP).
The top awards will go to vulnerabilities found in the most sensitive projects: Bazel, Angular, Golang, Protocol buffers, and Fuchsia. After the initial rollout that list will be expanded.
The program is looking for
-
vulnerabilities that lead to supply chain compromise;
-
design issues that cause product vulnerabilities;
-
other security issues such as sensitive or leaked credentials, weak passwords, or insecure installations.
Depending on the severity of the vulnerability and the project’s importance, rewards will range from US$100 to US$31,337. The larger amounts will also go to unusual or particularly interesting vulnerabilities, so creativity is encouraged.
See the program rules for more information.