Google introduced a new bug bounty program to pay researchers who find security flaws in its open-source software and the building blocks it uses.
As reported by The Verge, Google says it will pay anywhere from $101 to $31,337 for information about bugs in its dev projects like Angular, GoLang, and Fuchsia. The bounties also apply to vulnerabilities found in the third-party dependencies that are included in the projects’ codebases.
The tech giant announced the new program in the Google Security Blog. Francis Perron, Open Source Security Technical Program Manager, and Krzysztof Kotowicz, Information Security Engineer, posted an explanation of the new bounty scheme. “With the addition of Google’s OSS VRP to our family of Vulnerability Reward Programs (VRPs), researchers can now be rewarded for finding bugs that could potentially impact the entire open source ecosystem,” they write. “The addition of this new program addresses the ever more prevalent reality of rising supply chain compromises.”
Protecting the Google supply chain
Programmers often use code from open-source projects so they don’t continuously have to reinvent the same wheel. Since developers often directly import the code, as well as any updates to it, the possibility of supply chain attacks is introduced. Supply chain attackers don’t target the code directly controlled by Google itself but go after third-party dependencies instead.
“Last year saw a 650 percent year-over-year increase in attacks targeting the open source supply chain,” the blog post explains. Attacks include headliner incidents like Codecov and the Log4j vulnerability that showed the destructive potential of a single open source vulnerability. Google has been a prominent supporter and funder of Open Source bounty programs.
Payouts for the new program are generous, though subject to Google’s Rules. There are some additional rules around bounties for supply chain vulnerabilities. For example, researchers will have to inform whoever’s in charge of the third-party project before telling Google. They also have to prove that the issue affects Google’s project. If there’s a bug in a part of the library the company’s not using, then that vulnerability won’t be eligible for the program.