Google Launches Open Source Software Bug Bounty Program
According to Google, its Open Source Software Vulnerability Reward Program “recognizes the contributions of security researchers who invest their time and effort in helping us secure open source software released by Google.”
The program, which was inspired by the growing prevalence of open source bugs that have caused widespread controversy, including Log4j vulnerabilities, and Codecov, covers all the latest versions of open source software stored in the public repositories of Google-owned GitHub organizations.
New VRP program joins our family: Get rewards for finding vulns in our open source software! https://t.co/P5PdCjbuUy
— Google VRP (Google Bug Hunters) (@GoogleVRP)
With the top awards going to bugs found in Bazel, Angular, Golang, Protocol buffers, and Fuchsia, the list is expected to expand after the initial rollout.
Google is primarily looking for vulnerabilities that may lead to supply chain compromise or design issues that may cause product vulnerabilities.
“With the recent incidents in open source security (e.g. Log4Shell, Codecov), we’ve noticed more security researchers are interested in open source. We want to further encourage that interest, and having a clear scope and rewards for those researchers is part of that,” a Google spokesperson told The Record.
Hackers that find unusual vulnerabilities will be contacted directly by Google as they work on fixing the issue.
Google will also be offering public recognition in addition to bug bounties.