• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

everthing

  • Home
  • About
  • Animals
  • Lastes-posts
  • Medicine
  • NBA All-Star Game
  • Pharmacy
  • Software
  • Contact

Google’s open-source bug bounty aims to curb supply chain attacks

August 30, 2022 by admin

Google has introduced a new vulnerability rewards program to pay researchers who find security flaws in its open source software or in the building blocks on which its software is built. It pays anywhere from $101 to $31,337 for information about bugs in projects like Angular, GoLang, and Fuchsia or for vulnerabilities in the third-party dependencies included in those projects’ codebases.

While it’s important for Google to fix bugs in its own projects (and in the software it uses to track changes to its code, which are also handled by the program), perhaps the most interesting part is the bit about third-party dependencies. Programmers often use code from open source projects so that they don’t have to reinvent the same wheel over and over. But because developers often import that code directly, as well as any updates to it, that introduces the possibility of supply chain attacks. At that point, hackers don’t target the code directly controlled by Google itself, but instead go after these third-party dependencies.

Open source libraries can sometimes be used as a trojan horse in larger projects

As SolarWinds showed, this type of attack is not limited to open source projects. But in recent years, we’ve seen several stories where large companies have compromised their security thanks to dependencies. There are ways to mitigate these types of attack vectors: Google itself has started vetting and distributing a subset of popular open source programs, but it’s nearly impossible to audit all of the code a project uses. By incentivizing the community to check dependencies and first-party code, Google can cast a wider network.

According to Google’s rules, payouts from the Open Source Software Vulnerability Rewards program depend on the severity of the bug, as well as the importance of the project in which it was found (Fuchsia and the like are considered “flagship” projects and thus have the largest payouts). There are also some additional rules around bounties for supply chain vulnerabilities – researchers will first need to inform whoever is in charge of the third-party project before notifying Google. They also need to prove that the issue affects Google’s project; if there is a flaw in any part of the library that the company is not using, it will not be eligible for the program.

“Researchers can now be rewarded for finding bugs that could potentially affect the entire open source ecosystem.”

Google also says it doesn’t want people poking around at third-party services or platforms it uses for its open source projects. If you find an issue with how the GitHub repository is configured, that’s fine; if you find a problem with GitHub’s login system, it won’t be covered. (Google says it cannot authorize people to “perform security investigations on assets owned by other users and companies” on their behalf.)

For researchers who aren’t motivated by money, Google offers to donate their rewards to a charity chosen by the researcher — in fact, the company says it will double those donations.

Obviously this isn’t the first time Google has gotten a bug bounty – it had some sort of vulnerabilities reward program for more than a decade. But it’s good to see the company taking action on a problem that has raised the alarm. Earlier this year, in the wake of the Log4Shell exploit found in the popular open-source Log4j library, Google said the US government should be more involved in finding and fixing vulnerabilities in critical open-source projects. Since then, if BleepingComputer notes that the company has temporarily increased payouts for people who find bugs in certain open source projects such as Kubernetes and the Linux kernel.

Related

Filed Under: Software

Primary Sidebar

Recent Posts

  • Man Sent To Jail For Role In Cheltenham Pharmacy Robbery – The Mercury
  • Judge Orders Nevada Pharmacy Board To Remove Cannabis From Schedule 1
  • Angela D’Alessandro case: Family says Plymouth Meeting pharmacist preyed on teenage girl
  • Eating disorders are notoriously difficult to treat
  • mPharma acquires majority stake in HealthPlus in Nigeria

Recent Comments

No comments to show.

Archives

  • September 2022
  • August 2022
  • July 2022
  • June 2022

Categories

  • Animals
  • Lastes-posts
  • Medicine
  • NBA All-Star Game
  • Pharmacy
  • Software

Footer

Design

With an emphasis on typography, white space, and mobile-optimized design, your website will look absolutely breathtaking.

Learn more about design.

Pages

  • About
  • Affiliate Disclosure
  • CCPA / GPDR privacy policy
  • Contact
  • Privacy Policy
  • Terms And Conditions

Content

Our team will teach you the art of writing audience-focused content that will help you achieve the success you truly deserve.

Learn more about content.

Strategy

We help creative entrepreneurs build their digital business by focusing on three key elements of a successful online platform.

Learn more about strategy.

Copyright © 2023 · Genesis Sample on Genesis Framework · WordPress · Log in