Google introduces a new Bug Bounty Program for company’s open source projects
Image courtesy:Wired UK
On Tuesday, Google launches a new bug bounty program for rewarding security researchers who discover and report flaws in the company’s open source projects.
As part of the latest Open Source Software Vulnerability Rewards Program (OSS VRP), Google offers bug bounty payouts of up to $31,337. The lowest vulnerability reward will be $100.
Small bonus increases, roughly $1,000 may be awarded for mainly clever or interesting vulnerabilities. For almost 12 years, Google has been operating its VRP and has expanded it in time, to cover Android, Chrome, Linux kernel, and other areas.
To date, the company has paid over $38 million in bug bounty rewards to the reporting researchers. Focused on open source software, the new program is there to address the risks associated with supply chain compromise.
Google notes that the last year saw a 650% year-over-year rise in attacks aiming at the open source supply chain, including headliner incidents like Codecov and Log4Shell, showing the destructive possibility of a single open source vulnerability.
The internet giant considers all updated software available in the public repositories of Google-owned GitHub organizations as being within the scope of the OSS VRP. It also includes the third-party dependencies of these projects, but researchers will have to send a notification prior to the dependency, security week reports.
