Google will now pay security researchers to find and report bugs in the latest versions of Google-released open-source software (Google OSS). The company's newly announced Vulnerability Reward Program (VRP) focuses on Google software and repository settings (like GitHub actions, application configurations, and access control rules). It applies to software available on public repositories of Google-owned GitHub organizations as well as some repositories from other platforms. Bug bounty hunters will be rewarded anywhere from $100 to $31,337, depending on the severity of the vulnerabilities found.
This program's scope includes security vulnerabilities in Google OSS third-party dependencies, with the condition that the bug reports are first sent to the owners of the vulnerable packages, so the issues are addressed upstream before informing Google of the findings.
Google welcomes the submission of vulnerabilities that could lead to supply chain compromise, design issues that could cause product vulnerabilities, and security issues like leaked credentials, weak passwords, or insecure installations.
“The top awards will go to vulnerabilities found in the most sensitive projects: Bazel, Angular, Golang, Protocol buffers, and Fuchsia. After the initial rollout we plan to expand this list,” Google said in a recent blog post.
Analyst comments:
Google’s original VRP program was introduced in 2010. Since then, the company has rewarded $38 million to bug hunters from over 84 countries. Its new OOS VRP program hopes to address the rise in supply chain attacks. Last year, the company saw a 650% year-over-year increase in attacks targeting the open source supply chain, taking note of the attacks on CodeCov, Log4shell, and SolarWinds. By introducing this new program, Google encourages researchers to report vulnerabilities with the greatest real, and potential, impact on open source software.