Google today introduced a new bug bounty program to reward security researchers who discover and report vulnerabilities in the company’s open source projects.
As part of the new Open Source Software Vulnerability Rewards Program (OSS VRP), Google is offering bug bounty payouts of up to $31,337. The lowest vulnerability reward will be $100.
Small bonus increases – of roughly $1,000 – may be awarded for “particularly clever or interesting vulnerabilities”.
Google has been running its VRP for almost 12 years and has expanded it in time, to cover Android, Chrome, Linux kernel, and other areas. To date, the company has paid over $38 million in bug bounty rewards to the reporting researchers.
Focused on open source software, the new program is meant to address the risks associated with supply chain compromise.
“Last year saw a 650% year-over-year increase in attacks targeting the open source supply chain, including headliner incidents like Codecov and Log4Shell that showed the destructive potential of a single open source vulnerability,” Google notes.
The internet giant considers all up-to-date software available in the public repositories of Google-owned GitHub organizations as being within the scope of the OSS VRP. The third-party dependencies of these projects are also included, but researchers will have to send prior notification to the dependency.
“Please send your bug reports directly to the owner of the vulnerable package first and ensure that the issue is addressed upstream before letting us know of the issue details,” the company explains on the OSS VRP’s page.
In-scope projects are grouped into three tiers, with rewards for vulnerabilities in flagship OSS projects – which are considered particularly sensitive – being significantly higher. The top payouts will be offered for flaws in Bazel, Angular, Golang, Protocol buffers, and Fuchsia.
The internet giant encourages researchers to focus on vulnerabilities leading to supply chain compromise, on design issues leading to product flaws, and on security issues such as credential leaks, weak passwords, and insecure installations.