Last week, Google introduced a new bug bounty program. This bug bounty is for researchers who discover vulnerabilities in the company’s open source projects.
Let me remind you that Google’s bug bounty programs have been running for almost 12 years, and over time they have been extended to Android, Chrome, the Linux kernel and so on. To date, the company has paid over $38 million in rewards to researchers.
The new program is called the Open Source Software Vulnerability Rewards Program (OSS VRP), and the maximum reward that can be received under the OSS VRP is $31,337, while the minimum is $100. Also, small incentives (approximately $1,000) can be paid for “particularly clever or interesting vulnerabilities.”
“Last year, open source attacks on the supply chain increased by 650% year-over-year, including issues such as Codecov and Log4Shell, which demonstrated the destructive potential that just one open source vulnerability can have,” writes Google.
The new bug bounty program involves any updated to the latest version of software from public GitHub repositories owned by Google organizations. Third-party dependencies of such projects are also included in the program, however, in this case, researchers will need to notify not only Google,
“Please report bugs to the direct owner of the vulnerable package first and ensure the issue is upstream resolved before reporting the details of the vulnerability to us,” the company explains.
Google is urging researchers to focus on vulnerabilities that lead to supply chain compromise, on design issues that give rise to bugs in products, and also on security issues, including credential leaks and weak passwords.