Google Releases Bug Bounty Program for Open Source Projects
With the new bug bounty program, Google rewards security researchers who report vulnerabilities in the company’s open source projects.
Google launches the Open Source Software Vulnerability Rewards Program (OSS VRP). The program targets all up-to-date versions of open source software, which are stored in public repositories within Github for Google projects.
Think of Google, GoogleAPIs, and GoogleCloudPlatform. External software, on which Google depends for specific components, can also be reported. Here, the tech giant does say that researchers should first notify the original developers.
OSS VRP focuses on bugs that can lead to supply chain attacks, design flaws that lead to vulnerabilities, and other security issues such as weak passwords, insecure installations, or the use of weak and/or leaked credentials.
Google offers rewards through the OSS VRP range from $100 to $31,337. The larger rewards mainly target vulnerabilities in Basel, Angular, Golang, Protocol buffers, and Fuchsia. Google plans to expand this list further in the future.