Security News > 2022 > August > Find a security hole in Google's open source and you could bag a $31,337 reward

Google has created a bug bounty program that will reward those who find and report vulnerabilities in its open-source projects, thereby hopefully strengthening software supply-chain security.

The Open Source Software Vulnerability Rewards Program will pay bug hunters between $100 and $31,337, with the highest payments going to "Unusual or particularly interesting vulnerabilities," according to Googlers Francis Perron, open source security technical program manager, and infosec engineer Krzysztof Kotowicz.

"Last year saw a 650% year-over-year increase in attacks targeting the open source supply chain, including headliner incidents like Codecov and the Log4j vulnerability that showed the destructive potential of a single open source vulnerability," Perron and Kotowicz wrote.

"Google's OSS VRP is part of our $10b commitment to improving cybersecurity, including securing the supply chain against these types of attacks for both Google's users and open source consumers worldwide," they added.

In May, following a White House meeting, Google and a handful of other big tech companies announced a $30-million-plus commitment to implement a plan to improve open-source and software supply chain security.

Google announced a service called Assured Open Source Software that attempts to make it easier for enterprises to secure their open-source software dependencies.

News URL

https://go.theregister.com/feed/www.theregister.com/2022/08/30/google_open_source_bug_bounty/