Security News > 2022 > August > Find a security hole in Google's open source and you could bag a $31,337 reward
Google has created a bug bounty program that will reward those who find and report vulnerabilities in its open-source projects, thereby hopefully strengthening software supply-chain security.
The Open Source Software Vulnerability Rewards Program will pay bug hunters between $100 and $31,337, with the highest payments going to "Unusual or particularly interesting vulnerabilities," according to Googlers Francis Perron, open source security technical program manager, and infosec engineer Krzysztof Kotowicz.
"Last year saw a 650% year-over-year increase in attacks targeting the open source supply chain, including headliner incidents like Codecov and the Log4j vulnerability that showed the destructive potential of a single open source vulnerability," Perron and Kotowicz wrote.
"Google's OSS VRP is part of our $10b commitment to improving cybersecurity, including securing the supply chain against these types of attacks for both Google's users and open source consumers worldwide," they added.
In May, following a White House meeting, Google and a handful of other big tech companies announced a $30-million-plus commitment to implement a plan to improve open-source and software supply chain security.
Google announced a service called Assured Open Source Software that attempts to make it easier for enterprises to secure their open-source software dependencies.
News URL
https://go.theregister.com/feed/www.theregister.com/2022/08/30/google_open_source_bug_bounty/
Related news
- Google claims Big Sleep 'first' AI to spot freshly committed security bug that fuzzing missed (source)
- Osmedeus: Open-source workflow engine for offensive security (source)
- Am I Isolated: Open-source container security benchmark (source)
- ScubaGear: Open-source tool to assess Microsoft 365 configurations for security gaps (source)
- Debunking myths about open-source security (source)
- AxoSyslog: Open-source scalable security data processor (source)
- Google's AI-Powered OSS-Fuzz Tool Finds 26 Vulnerabilities in Open-Source Projects (source)
- Unlocking Google Workspace Security: Are You Doing Enough to Protect Your Data? (source)
- Vanir: Open-source security patch validation for Android (source)