Google bug bounty launched
The company is encouraging vulnerability reporting.
Google has launched its Open Source Software Vulnerability Rewards Program (OSS VRP) – see https:// bit.ly/lxf295ossvrp. As the company behind major open source projects such as Golang and Fuchsia, as well as being one of the largest open source contributors, Google is obviously keen on making sure its own projects, as well as those it relies on, are as secure as possible.
The OSS VRP joins Google’s other Vulnerability Rewards Program (VRP), which has been running for almost 12 years, and has paid out over $38 million to people who have successfully submitted vulnerabilities.
With the OSS VRP, Google is looking for vulnerabilities in public repositories of Googleowned GitHub organisations, as well as thirdwww.techradar.com/pro/linux party dependencies, specifically vulnerabilities that lead to supply chain compromises, as well as easily obtained credentials, weak passwords and insecure installations.
Google states the rewards will range from $100 to $31,337, and the company is reserving the highest rewards for “unusual or particularly interesting vulnerabilities, so creativity is encouraged.” Google also wants to focus on its most sensitive projects: Bazel, Angular, Golang, Protocol Buffers, and Fuchsia. The company will double any winnings that are donated to charity.
With a worrying trend that’s seen attacks targeting open source projects increase sharply, reward schemes like this are a great way of encouraging the community to help identify vulnerabilities so they can be patched.