Google has created a bug bounty program that rewards those who find and report vulnerabilities in its open source projects, hopefully strengthening the security of the software supply chain.
The Open Source Software Vulnerability Rewards Program (OSS VRP) pays bug hunters between $100 and $31,337 (eleet, elite…geddit?), with the highest payouts going to “unusual or particularly interesting vulnerabilities,” according to Googlers Francis Perron, tech. open source security program manager and infosec engineer Krzysztof Kotowicz.
In addition, large payouts go to researchers who find and report vulnerabilities in the “most sensitive” of Google’s maintained open source projects: Basel, Angular, Golang, Protocol Buffers, and Fuchsia.
These projects are used in several of the web titan’s products: for example, the Google-designed Go programming language is widely used in analytics to container environments, while the Fuchsia operating system powers smart-home devices, including Nest owned by Alphabet.
After 2021, which has been a prime year for supply chain attacks and open source software, Google’s latest VPR looks for ethical hackers to uncover security holes that can lead to supply chain compromise and design issues that create product vulnerabilities, as well as leaked credentials, weak passwords, and insecure installations.
“Last year saw a 650% year-over-year increase in attacks targeting the open source supply chain, including headliner incidents such as Codecov and the Log4j vulnerability demonstrating the destructive potential of a single open source vulnerability,” Perron wrote. Kotowicz.
“Google’s OSS VRP is part of our $10 billion commitment to improve cybersecurity, including securing the supply chain against these types of attacks for both Google users and open source consumers around the world,” she added. .
Google’s now 12-year-old original VRP has expanded over the years, adding bug bounties targeting Chrome, Android, and other products and projects. Earlier this month, Google’s Kubernetes-based capture-the-flag project, which pays researchers to exploit bugs in the Linux kernel, permanently increased its payouts to a maximum reward of $133,337.
In total, Google paid $8.7 million in rewards to nearly 700 researchers in its various VPRs last year.
The move is also part of a wider effort by both private software companies and the federal government to improve supply chain and open source security.
In May, after a meeting in the White House, Google and a handful of other major tech companies announced a $30 million commitment to implement a plan to improve open source and software supply chain security. Shortly after, Google announced a service called Assured Open Source Software that aims to make it easier for businesses to secure their open-source software dependencies.
While thriving bug bounties are always welcome, the relatively frugal payouts Google offers look a bit cheap compared to the money offered by other companies and competitors, not to mention private buyers looking for really good vulnerabilities. ®