Google has introduced a new vulnerability rewards program to pay researchers who find security flaws in its open source software or in the building blocks on which its software is built. It pays anywhere from $101 to $31,337 for information about bugs in projects like Angular, GoLang, and Fuchsia or for vulnerabilities in the third-party dependencies included in those projects’ codebases.
While it’s important for Google to fix bugs in its own projects (and in the software it uses to track changes to its code, which are also handled by the program), perhaps the most interesting part is the bit about third-party dependencies. Programmers often use code from open source projects so that they don’t have to reinvent the same wheel over and over. But because developers often import that code directly, as well as any updates to it, that introduces the possibility of supply chain attacks. At that point, hackers don’t target the code directly controlled by Google itself, but instead go after these third-party dependencies.
As SolarWinds showed, this type of attack is not limited to open source projects. But in recent years, we’ve seen several stories where large companies have compromised their security thanks to dependencies. There are ways to mitigate these types of attack vectors: Google itself has started vetting and distributing a subset of popular open source programs, but it’s nearly impossible to audit all of the code a project uses. By incentivizing the community to check dependencies and first-party code, Google can cast a wider network.
According to Google’s rules, payouts from the Open Source Software Vulnerability Rewards program depend on the severity of the bug, as well as the importance of the project in which it was found (Fuchsia and the like are considered “flagship” projects and thus have the largest payouts). There are also some additional rules around bounties for supply chain vulnerabilities – researchers will first need to inform whoever is in charge of the third-party project before notifying Google. They also need to prove that the issue affects Google’s project; if there is a flaw in any part of the library that the company is not using, it will not be eligible for the program.
Google also says it doesn’t want people poking around at third-party services or platforms it uses for its open source projects. If you find an issue with how the GitHub repository is configured, that’s fine; if you find a problem with GitHub’s login system, it won’t be covered. (Google says it cannot authorize people to “perform security investigations on assets owned by other users and companies” on their behalf.)
For researchers who aren’t motivated by money, Google offers to donate their rewards to a charity chosen by the researcher — in fact, the company says it will double those donations.
Obviously this isn’t the first time Google has gotten a bug bounty – it had some sort of vulnerabilities reward program for more than a decade. But it’s good to see the company taking action on a problem that has raised the alarm. Earlier this year, in the wake of the Log4Shell exploit found in the popular open-source Log4j library, Google said the US government should be more involved in finding and fixing vulnerabilities in critical open-source projects. Since then, if BleepingComputer notes that the company has temporarily increased payouts for people who find bugs in certain open source projects such as Kubernetes and the Linux kernel.