Skip to main content
close search
site logo
Dive Brief

Google tackles open source security with vulnerability rewards program

The program follows a surge in supply chain attacks impacting the open source software ecosystem.

Published Aug. 30, 2022
David Jones's headshot
Reporter
Google logo displayed outside the company's New York City office.
The Google logo adorns the outside of their NYC office Google Building 8510 at 85 10th Ave on June 3, 2019 in New York City. Drew Angerer via Getty Images

Dive Brief:

  • Google launched a vulnerability rewards program aimed at reducing vulnerabilities in open source software, which has been the target of widespread supply chain attacks over the last few years, according to a Tuesday announcement. 
  • The program will focus on three areas: Vulnerabilities leading to supply chain compromise; design issues that lead to product vulnerabilities; and sensitive security issues, including weak passwords, leaked credentials or insecure installations. 
  • The Open Source Software Vulnerability Rewards Program (OSS VRP) will offer rewards ranging from $100 to $31,337, with the amount paid depending on the severity of vulnerability or the importance of the project.

Dive Insight:

Google calls itself one of the largest contributors to open source in the world, citing its role as the maintainer of projects including Golang, Angular and Fuchsia. 

Google's original bug bounty program, which began more than a decade ago, has expanded to include issues surrounding Chrome, Android and other areas. Since the program began, Google has paid more than $38 million on more than 13,000 submissions. 

The new OSS VRP follows a year when supply chain attacks aimed at open source skyrocketed by 650%, including incidents like Codecov and Log4Shell, according to the blog. 

“Opening this new VRP scope furthers the importance of security research being rewarded in the open source ecosystem,” Francis Perron, open source security technical program manager at Google, said via email. “It also emphasizes the importance and value of vulnerability disclosure in open source.”

Perron said Google has spent more than $7.5 million in the past year to improve open source security, and this program is part of that. Google was one of several major technology firms to push the White House to help improve the security of open source software. 

Google said the new program will target two areas: 

  • Up-to-date versions of OSS, including repository settings, stored in public repositories of Google-owned GitHub organizations.
  • Third-party dependencies of those projects. 

Top rewards will go to vulnerabilities found in the most sensitive projects, which include: Bazel, Angular, Golang, Protocol buffers and Fuchsia. Google said it will expand the list after an initial rollout period.

Filed Under: Vulnerability

Editors' picks

Company Announcements

View all | Post a press release
DigiCert Unveils 2025 Security Predictions
From DigiCert
November 21, 2024
Nile Adds Industry’s First Campus Zero Trust Delivered As a Service
From Nile
November 21, 2024
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Editors' picks
Latest in Vulnerability
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell