Google expands bug bounty program to cover GitHub and other open source projects

Share post:

Google is adding to its bounty program that pays for the discovery of application vulnerabilities.

On Tuesday the company launched the Open Source Software Vulnerability Rewards Program (OSS VRP) to reward discoveries of bugs in Google’s open source projects.

That covers all up-to-date versions of open source software (including repository configuration settings such as GitHub Actions) stored in the public repositories of Google-owned GitHub organizations (such as Google, GoogleAPIs, Google Cloud Platform, as well as projects that Google maintains, such as the Golang Go programming language, the Angular web developers platform and the Fuchsia operating system.

“The addition of this new program addresses the ever more prevalent reality of rising supply chain compromises,” Google said. “Last year saw a 650 per cent year-over-year increase in attacks targeting the open source supply chain, including headliner incidents like Codecov and the Log4j vulnerability that showed the destructive potential of a single open source vulnerability.

“Google’s OSS VRP is part of our US$10 billion commitment to improving cybersecurity, including securing the supply chain against these types of attacks for both Google’s users and open source consumers worldwide.”

The overall program includes rewards for finding vulnerabilities in Google products such as Chrome, Android, Pixel smartphones, the Google Nest line of smart home products, Fitbit smartwatches, certain apps in the Google Play store, and other areas. Over the past 12 years, this program has rewarded more than 13,000 submissions, with over US$38 million paid out.

The new program not only focuses on Google’s open source projects but also those projects’ third-party dependencies (with prior notification to the affected dependency required before submission to Google’s OSS VRP).

The top awards will go to vulnerabilities found in the most sensitive projects: Bazel, Angular, Golang, Protocol buffers, and Fuchsia. After the initial rollout that list will be expanded.

The program is looking for

  • vulnerabilities that lead to supply chain compromise;

  • design issues that cause product vulnerabilities;

  • other security issues such as sensitive or leaked credentials, weak passwords, or insecure installations.

Depending on the severity of the vulnerability and the project’s importance, rewards will range from US$100 to US$31,337. The larger amounts will also go to unusual or particularly interesting vulnerabilities, so creativity is encouraged.

See the program rules for more information.

The post Google expands bug bounty program to cover GitHub and other open source projects first appeared on IT World Canada.

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.


Related articles

London hospitals cancel over 800 operations after ransomware attack

NHS England disclosed today that a recent ransomware attack on Synnovis has led to the cancellation of hundreds...

Microsoft cancels universal Recall release in favor of Windows Insider preview

Microsoft has decided to cancel the wide release of Recall, the controversial tool for Copilot+ PCs, and instead...

Cyber Security Today, Week in Review for week ending Friday, June 14, 2024

Welcome to Cyber Security Today. This is the Week in Review for the week ending Friday, June 14th,...

Cyber Security Today, June 14, 2024 – Employee downloaded a file that led to hospital chain’s ransomware attack

An employee downloaded a file that led to hospital chain's ransomware attack Welcome to Cyber Security Today. It's Friday...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways