Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Google Launches Bug Bounty Program for Open Source Projects

Google today introduced a new bug bounty program to reward security researchers who discover and report vulnerabilities in the company’s open source projects.

As part of the new Open Source Software Vulnerability Rewards Program (OSS VRP), Google is offering bug bounty payouts of up to $31,337. The lowest vulnerability reward will be $100.

Google today introduced a new bug bounty program to reward security researchers who discover and report vulnerabilities in the company’s open source projects.

As part of the new Open Source Software Vulnerability Rewards Program (OSS VRP), Google is offering bug bounty payouts of up to $31,337. The lowest vulnerability reward will be $100.

Small bonus increases – of roughly $1,000 – may be awarded for “particularly clever or interesting vulnerabilities”.

Google has been running its VRP for almost 12 years and has expanded it in time, to cover Android, Chrome, Linux kernel, and other areas. To date, the company has paid over $38 million in bug bounty rewards to the reporting researchers.

Focused on open source software, the new program is meant to address the risks associated with supply chain compromise.

“Last year saw a 650% year-over-year increase in attacks targeting the open source supply chain, including headliner incidents like Codecov and Log4Shell that showed the destructive potential of a single open source vulnerability,” Google notes.

The internet giant considers all up-to-date software available in the public repositories of Google-owned GitHub organizations as being within the scope of the OSS VRP. The third-party dependencies of these projects are also included, but researchers will have to send prior notification to the dependency.

“Please send your bug reports directly to the owner of the vulnerable package first and ensure that the issue is addressed upstream before letting us know of the issue details,” the company explains on the OSS VRP’s page.

In-scope projects are grouped into three tiers, with rewards for vulnerabilities in flagship OSS projects – which are considered particularly sensitive – being significantly higher. The top payouts will be offered for flaws in Bazel, Angular, Golang, Protocol buffers, and Fuchsia.

The internet giant encourages researchers to focus on vulnerabilities leading to supply chain compromise, on design issues leading to product flaws, and on security issues such as credential leaks, weak passwords, and insecure installations.

Related: Google Paid Out $8.7 Million in Bug Bounty Rewards in 2021

Related: Microsoft Paid $13.7 Million via Bug Bounty Programs Over Past Year

Related: Google Open Sources ‘Paranoid’ Crypto Testing Library

Related: Google Teams Up With GitHub for Supply Chain Security

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.

Register

Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Vulnerabilities

Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.