October 1, 2022

COSFONE

Networking, PBX, IT, DIY Solution

Google announces expansion of new bug bounty program for open source software

3 min read

Google announces expansion of new bug bounty program for open source software



 

Google announces expansion of new bug bounty program for open source software


Google launched the Vulnerability Reward Program (VRP) back in 2010.

As the name suggests, it encourages researchers and cybersecurity experts to detect security issues and vulnerabilities and then report them privately to vendors.

Once reported, the bugs will be fixed by the company, and whoever finds the problem will receive a monetary reward.

Over the past few years, Google has been working to unify the platform and expand it to more platforms. Today, the company announced yet another expansion, this time in the open source software (OSS) space.

 

Google announces expansion of new bug bounty program for open source software

 

 

 

Google emphasizes that it is one of the largest contributors and maintainers of open source software, with projects such as Golang, Angular, and Fuchsia, so it understands the need to protect this area.

Therefore, its OSS VRP program is also designed to encourage efforts in this area.

 

OSS VRP focuses on any OSS code owned by Google. This includes not only the projects it maintains, but also any OSS dependencies maintained by other vendors.

The two categories of OSS covered by this VRP are defined as follows:

 

All the latest versions of open source software (including repository settings) stored in the public repositories of the Google-owned GitHub organization.

 

3rd party dependencies of these projects (affected relying parties need to be notified in advance before submitting to Google’s OSS VRP)

 

The types of submissions Google now accepts include supply chain compromises, design flaws, and general security issues such as weak or compromised credentials, or insecure deployments.

Rewards start at $100 and go up to $31,337, though caps are usually for more sensitive projects like Bazel, Angular, Golang, Protocol Buffers, and Fuchsia.

 

Google hopes this community-driven collaborative effort will help improve the security of open source software.

The initiative is part of a $10 billion cybersecurity investment announced by Google after a meeting with U.S. President Joe Biden a year ago.

Back in April, Google pledged to support the Open Source Security Foundation’s (OpenSSF) Package Analysis Project to detect malicious open source software packages as well.

 

If you are interested in participating in OSS VRP, you can view the requirements and other processes here:

https://bughunters.google.com/about/rules/6521337925468160/google-open-source-software-vulnerability-reward-program-rules



Copyright © All rights reserved. | Newsphere by AF themes.