Skip to content

Google is now offering bug bounties for open source software bugs

Photo by / Unsplash

Bug bounties for Google's open source projects are now available thanks to a new initiative.

Adding to the already lucrative Vulnerability Rewards Programs (VRPs) offered by the tech giant is the Open Source Software Vulnerability Rewards Program (OSS VRP).

According to the company, its pioneering virtual reward program (VRP) honored those who worked to protect Google's source code. Even though it's well into its second decade of business, Google is still keen to emphasize its dedication to supporting security researchers and bug hunters.

According to Google, over $38 million has been paid out to more than 13,000 contributions, from a total of 84 countries, thanks to the VRPs, which cover various Chrome and Android code across the company's wider operations.

Google has also committed $10 billion to bolstering the security of both its own services and those of users of open source software.

According to Google, the number of attacks on the OSS supply chain increased by 650% from the previous year. Two of the most notable incidents that contributed to this rise were the compromises of the Codecov and Log4j projects.

According to Google's Security Blog, the OSS VRP is primarily concerned with "all up-to-date versions" of OSS hosted in Google-owned GitHub organization spaces like GoogleAPIs and GoogleCloudPlatform. However, the "top awards" are reserved for the most sensitive projects, which Google identifies as Bazel, Angular, Golang, Protocol buffers, and Fuchsia.

"vulnerabilities that lead to supply chain compromise; design issues that cause product vulnerabilities; [and] other security issues, such as sensitive or leaked credentials, weak passwords, or insecure installations," are all fair game for any hunter.

The severity of the vulnerability discovered determines the amount of the reward, which can range from a paltry $100 to a substantial $31,337. However, if a bug is discovered that is relevant to another VRP but not this one, it will not go to waste. Google has promised to forward such information (and pot of cash).