Google Launches Open Source Software Bug Bounty Program

Google has just announced the launch of its open source software vulnerability bug bounty program, which offers cybersecurity researchers up to $31,337 in rewards for spotting bugs (via The Record).

Bug hunters

According to Google, its  Open Source Software Vulnerability Reward Program “recognizes the contributions of security researchers who invest their time and effort in helping us secure open source software released by Google.”

The program, which was inspired by the growing prevalence of open source bugs that have caused widespread controversy, including Log4j vulnerabilities, and Codecov, covers all the latest versions of open source software stored in the public repositories of Google-owned GitHub organizations.

With the top awards going to bugs found in Bazel, Angular, Golang, Protocol buffers, and Fuchsia, the list is expected to expand after the initial rollout.

Google is primarily looking for vulnerabilities that may lead to supply chain compromise or design issues that may cause product vulnerabilities.

“With the recent incidents in open source security (e.g. Log4Shell, Codecov), we’ve noticed more security researchers are interested in open source. We want to further encourage that interest, and having a clear scope and rewards for those researchers is part of that,” a Google spokesperson told The Record.

Hackers that find unusual vulnerabilities will be contacted directly by Google as they work on fixing the issue.

Google will also be offering public recognition in addition to bug bounties.