Dive Brief:
- Google launched a vulnerability rewards program aimed at reducing vulnerabilities in open source software, which has been the target of widespread supply chain attacks over the last few years, according to a Tuesday announcement.
- The program will focus on three areas: Vulnerabilities leading to supply chain compromise; design issues that lead to product vulnerabilities; and sensitive security issues, including weak passwords, leaked credentials or insecure installations.
- The Open Source Software Vulnerability Rewards Program (OSS VRP) will offer rewards ranging from $100 to $31,337, with the amount paid depending on the severity of vulnerability or the importance of the project.
Dive Insight:
Google calls itself one of the largest contributors to open source in the world, citing its role as the maintainer of projects including Golang, Angular and Fuchsia.
Google's original bug bounty program, which began more than a decade ago, has expanded to include issues surrounding Chrome, Android and other areas. Since the program began, Google has paid more than $38 million on more than 13,000 submissions.
The new OSS VRP follows a year when supply chain attacks aimed at open source skyrocketed by 650%, including incidents like Codecov and Log4Shell, according to the blog.
“Opening this new VRP scope furthers the importance of security research being rewarded in the open source ecosystem,” Francis Perron, open source security technical program manager at Google, said via email. “It also emphasizes the importance and value of vulnerability disclosure in open source.”
Perron said Google has spent more than $7.5 million in the past year to improve open source security, and this program is part of that. Google was one of several major technology firms to push the White House to help improve the security of open source software.
Google said the new program will target two areas:
- Up-to-date versions of OSS, including repository settings, stored in public repositories of Google-owned GitHub organizations.
- Third-party dependencies of those projects.
Top rewards will go to vulnerabilities found in the most sensitive projects, which include: Bazel, Angular, Golang, Protocol buffers and Fuchsia. Google said it will expand the list after an initial rollout period.