Google Launches Major Open Source Bug Bounty Program

Google right now announced a new application intended to reward researchers that locate bugs in its open resource tasks.

The Open up Supply Software program Vulnerability Benefits System (OSS VRP) will incentivize ethical hackers to make open up supply code a lot more safe in big tasks that Google maintains this kind of as Golang, Bazel, Angular, Fuchsia and Protocol buffers.

The OSS VRP will particularly aim on all up-to-date versions of open supply program and repository configurations stored in the public repositories of Google-owned GitHub businesses, as properly as these projects’ dependencies.

✔ Approved Seller From Our Partners

Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).

➤ Get Mullvad VPN with 12% Discount

Google mentioned it welcomes submissions of:

• Vulnerabilities that guide to provide chain compromise
• Style and design issues that bring about merchandise vulnerabilities
• Other issues these as delicate or leaked credentials, weak passwords or insecure installations

“Depending on the severity of the vulnerability and the project’s significance, benefits will vary from $100 to $31,337,” the tech large reported. “The larger amounts will also go to strange or specially exciting vulnerabilities, so creative imagination is inspired.”

The OSS VRP will sit alongside Google’s VRPs in Chrome, Android and other areas of the enterprise. Given that the first was launched close to 12 several years ago, these packages have rewarded more than 13,000 submissions and compensated out more than $38m in the procedure.

Open source vulnerabilities are major information following the Log4Shell exploit and the subsequent fallout. Several DevOps teams now use third-party open up supply elements to accelerate time-to-sector for their choices, but repositories frequently incorporate bugs.

Just one seller detected a 650% year-on-calendar year improve in attacks where by danger actors have intentionally planted buggy code in upstream libraries so that they can exploit it at a afterwards day.

A further report from June claimed that the typical application progress venture has 49 vulnerabilities spanning 80 direct dependencies. It added that time taken to deal with open supply vulnerabilities is just about 20% for a longer time than in proprietary projects, and lengthened from 49 days in 2018 to 110 days in 2021.