Security News > 2022 > August > Google invites bug hunters to scrutinize its open source projects

Google wants to improve the security of its open source projects and those projects' third-party dependencies by offering rewards for bugs found in them.

Google offers rewards for bugs in its open source software.

"First and foremost, we welcome submissions pointing out vulnerabilities affecting source or build integrity that could result in a supply chain compromise. Supply chain vulnerabilities include the ability to compromise Google OSS source code, and build artifacts or packages distributed via package managers to users," Google notes.

Fuchsia OS. In time, other projects will be added to this tier, Google says, and notes that vulnerabilities leading to supply chain compromise could be rewarded with a bounty that may reach $31,337.

Bounties for bugs in standard OSS projects will be much lower, and there are no rewards for bugs in low-priority OSS projects.

"Last year saw a 650% year-over-year increase in attacks targeting the open source supply chain, including headliner incidents like Codecov and the Log4j vulnerability that showed the destructive potential of a single open source vulnerability. Google's OSS VRP is part of our $10B commitment to improving cybersecurity, including securing the supply chain against these types of attacks for both Google's users and open source consumers worldwide."

News URL

https://www.helpnetsecurity.com/2022/08/31/open-source-bugs-rewards/