Google on Tuesday announced it’s launching a new bug bounty program that focuses specifically on open source software. Bug hunters can earn anywhere from $100 to upwards of $31,000 via the new Open Source Software Vulnerability Rewards Program (OSS VRP), depending on the severity of the vulnerability they find.
The new program tackles a major problem in the software community — a spike in supply chain compromises. Citing a report from the software firm Sonatype, Google notes that attacks targeting the open source supply chain grew 650% year-over-year in 2021. Even single vulnerabilities, like the severe Log4j vulnerability that was discovered in December 2021, can wreak widespread havoc.
Google’s new program encourages bug hunters to look for issues in up-to-date versions of open source software (including repository settings) stored in the public repositories of Google-owned GitHub organizations (such as Google, GoogleAPIs and GoogleCloudPlatform). It also focuses on those projects’ third-party dependencies.
The top awards will go to vulnerabilities found in the most sensitive projects that Google maintains, including Bazel, Angular, Golang, Protocol buffers and Fuchsia. Google is also encouraging bug hunters to look for problems that could have the greatest impact on the supply chain, which could include design issues that cause product vulnerabilities or security issues like leaked credentials.
Rewards will range from $100 to $31,337, depending on the severity of the vulnerability and the project’s importance. “The larger amounts will also go to unusual or particularly interesting vulnerabilities, so creativity is encouraged,” Google added in its blog post.
The OSS VRP is part of the $10 billion that Google has committed to spending on US cybersecurity. Google made the commitment last year following a meeting at the White House, where the Biden administration stressed that potential vulnerabilities in open source software are a national security concern.
