Google today introduced a new bug bounty program to reward security researchers who discover and report vulnerabilities in the company’s open source projects.
As part of the new Open Source Software Vulnerability Rewards Program (OSS VRP), Google is offering bug bounty payouts of up to $31,337. The lowest vulnerability reward will be $100.
Small bonus increases – of roughly $1,000 – may be awarded for “particularly clever or interesting vulnerabilities”.
Google has been running its VRP for almost 12 years and has expanded it in time, to cover Android, Chrome, Linux kernel, and other areas. To date, the company has paid over $38 million in bug bounty rewards to the reporting researchers.
Focused on open source software, the new program is meant to address the risks associated with supply chain compromise.
“Last year saw a 650% year-over-year increase in attacks targeting the open source supply chain, including headliner incidents like Codecov and Log4Shell that showed the destructive potential of a single open source vulnerability,” Google notes.
The internet giant considers all up-to-date software available in the public repositories of Google-owned GitHub organizations as being within the scope of the OSS VRP. The third-party dependencies of these projects are also included, but researchers will have to send prior notification to the dependency.
“Please send your bug reports directly to the owner of the vulnerable package first and ensure that the issue is addressed upstream before letting us know of the issue details,” the company explains on the OSS VRP’s page.
In-scope projects are grouped into three tiers, with rewards for vulnerabilities in flagship OSS projects – which are considered particularly sensitive – being significantly higher. The top payouts will be offered for flaws in Bazel, Angular, Golang, Protocol buffers, and Fuchsia.
The internet giant encourages researchers to focus on vulnerabilities leading to supply chain compromise, on design issues leading to product flaws, and on security issues such as credential leaks, weak passwords, and insecure installations.
Related: Google Paid Out $8.7 Million in Bug Bounty Rewards in 2021
Related: Microsoft Paid $13.7 Million via Bug Bounty Programs Over Past Year
Related: Google Open Sources ‘Paranoid’ Crypto Testing Library
Related: Google Teams Up With GitHub for Supply Chain Security

More from Ionut Arghire
- Former Ubiquiti Employee Who Posed as Hacker Pleads Guilty
- Atlassian Warns of Critical Jira Service Management Vulnerability
- Exploitation of Oracle E-Business Suite Vulnerability Starts After PoC Publication
- Google Shells Out $600,000 for OSS-Fuzz Project Integrations
- F5 BIG-IP Vulnerability Can Lead to DoS, Code Execution
- Flaw in Cisco Industrial Appliances Allows Malicious Code to Persist Across Reboots
- HeadCrab Botnet Ensnares 1,200 Redis Servers for Cryptomining
- Malicious NPM, PyPI Packages Stealing User Information
Latest News
- US Downs Chinese Balloon Off Carolina Coast
- Microsoft: Iran Unit Behind Charlie Hebdo Hack-and-Leak Op
- Feds Say Cyberattack Caused Suicide Helpline’s Outage
- Big China Spy Balloon Moving East Over US, Pentagon Says
- Former Ubiquiti Employee Who Posed as Hacker Pleads Guilty
- Cyber Insights 2023: Venture Capital
- Atlassian Warns of Critical Jira Service Management Vulnerability
- High-Severity Privilege Escalation Vulnerability Patched in VMware Workstation
