Google offers up to $31,337 for bugs in open source projects • The Register


Google has created a bug bounty program that will reward those who find and report vulnerabilities in its open source projects, hopefully bolstering software supply chain security.

The Open Source Software Vulnerability Rewards Program (OSS VRP) will pay bug hunters between $100 and $31,337 (eleet, elite… geddit?), with the highest payouts going to “unusual or particularly interesting vulnerabilities”, according to Googlers Francis Perron, open source security technical program manager and infosec engineer Krzysztof Kotowicz.

Additionally, large payouts will go to researchers who find and report vulnerabilities in Google’s “most sensitive” open source projects: Bazel, Angular, Golang, Protocol Buffers, and Fuchsia.

These projects are used in several products of the web titan: for example, the Go programming language designed by Google is widely used in the analysis of container environments, while its Fuchsia operating system powers smart home devices, including including Nest owned by Alphabet.

After 2021, which proved to be a banner year for supply chain and open source software attacks, Google’s latest VPR is looking for ethical hackers to focus on security vulnerabilities that can lead to security compromises. supply chain and design issues that lead to product vulnerabilities and credential leaks. , weak passwords and insecure installations.

“Last year saw a 650% year-over-year increase in attacks targeting the open source supply chain, including high-profile incidents like Codecov and the Log4j vulnerability that showed the destructive potential of a single open source vulnerability,” Perron and Kotowicz wrote.

“Google’s OSS VRP is part of our $10 billion commitment to improve cybersecurity, including securing the supply chain against these types of attacks for Google users and open source consumers around the world. entire,” they added.

Google’s now 12-year-old original VRP has grown over the years and added bug bounties focused on Chrome, Android, and other products and projects. Earlier this month, Google’s Kubernetes-based capture-the-flag project, which pays researchers to exploit bugs in the Linux kernel, permanently increased its payouts to a maximum reward of $133,337.

In total, Google paid out $8.7 million in rewards to nearly 700 searchers across its various VPRs last year.

The move is also part of a broader effort by private software vendors as well as the federal government to improve open source supply chain and security.

In May, following a meeting at the White House, Google and a handful of other big tech companies announced a commitment of more than $30 million to implement a plan to improve chain security. supply of open source software. Shortly after, Google announced a service called Assured Open Source Software that attempts to make it easier for companies to secure their open source software dependencies.

While well-managed bug bounties are always welcome, the relatively sparing payouts offered by Google seem a bit cheap compared to the money offered by other companies and competitors, not to mention private buyers looking for very good vulnerabilities. ®

Previous Give a Used Animatronic Halloween Witch a Makeover
Next CERT-In warns of Mozilla Firefox bugs that can compromise devices