- Google’s Open Source Software Vulnerability Rewards Program (OSS VRP) focuses on rewarding discoveries of vulnerabilities in Google’s open-source projects.
- Rewards will range from $100 to $31,337 depending on the severity of the vulnerability and the project’s importance.
- The new program aims to prevent attacks targeting the open source supply chain, which increased by 650% last year.
Google is launching the Open Source Software Vulnerability Rewards Program. The program will focus on discovering vulnerabilities in Google’s open-source projects. OSS VRP, a new addition to Google’s Vulnerability Reward Programs, will reward researchers for finding bugs that are capable of impacting the open-source ecosystem. The original VRP program is now approaching its 12th anniversary.
Open-source supply chain
The new addition focuses on addressing supply chain compromises. Google stated that last year, attacks targeting the open-source supply chain increased by 650% year-over-year, including Codecov and Log4j vulnerabilities. The OSS VRP is now a part of Google’s $10 billion commitment to improve cybersecurity. It encourages researchers to report vulnerabilities with the greatest real, and potential, impact on open source software under the Google portfolio:
- All up-to-date versions of open source software (including repository settings) stored in the public repositories of Google-owned GitHub organizations.
- Those projects’ third-party dependencies (with prior notification to the affected dependency required before submission to Google’s OSS VRP).
The biggest awards will go to vulnerabilities found in Bazel, Angular, Golang, Protocol buffers, and Fuchsia. Google also announced its plans to expand the list after the initial rollout. Google is waiting for submissions of:
- Vulnerabilities that lead to supply chain compromise
- Design issues that cause product vulnerabilities
- Other security issues such as sensitive or leaked credentials, weak passwords, or insecure installations
The rewards are ranging from $100 to $31,337, which is a reference to Leet, a system of modified spellings. Google also stated that the larger amounts will be rewarded for unusual or particularly interesting vulnerabilities.