Google has launched its Open Source Software Vulnerability Rewards Program (OSS VRP), where researchers will find bugs and vulnerabilities in the open-source software ecosystem. Google is offering rewards of around $31,337 to those who detect bugs.
Google has employed a crowdsourced approach to security with a special focus on mitigating vulnerabilities in the under-funded and under-maintained but extensively used open-source projects.
Through this rewards program, the company aims to eliminate invasion points and help enterprises function securely since the open-source ecosystem needs massive security overhauling.
It is worth noting that a large number of organizations rely on open-source software to perform critical operations. Yet, they exercise little to no control over these components, making the situation risky for these organizations.
Furthermore, attacks on the software supply chain have spiked over the years. They are currently at an all-time high after 0-day vulnerabilities Log4j and Log4Shell were discovered, and devastating data breaches took place, including SolarWinds.
Through OSS VRP, ethical hackers will get rewards ranging from $100 – $31,337, depending on their discovered bug’s severity. The highest rewards will be offered to bugs found in sensitive open-source projects like Angular, Bazel, Protocol buffers, Golang, and Fuchsia.
According to Google’s blog post, the event will focus mainly on up-to-date versions of open-source projects/software and repository settings saved in GitHub’s public repositories. Some of the vulnerabilities Google expects to be detected include those that cause supply chain compromise, product vulnerabilities caused by design issues, weak passwords, leaked credentials, etc.
- Vulnerabilities that lead to supply chain compromise
- Design issues that cause product vulnerabilities
- Other security issues such as sensitive or leaked credentials, weak passwords, or insecure installations
“The larger amounts will also go to unusual or particularly interesting vulnerabilities, so creativity is encouraged.”
Such programs will restore the confidence of users and vendors in the open source software supply chain as vulnerabilities will be timely identified and fixed. So if you have what it takes to participate in Google’s latest bug bounty program we wish you good luck!