Google announces expansion of new bug bounty program for open source software
2 min readGoogle announces expansion of new bug bounty program for open source software
- Huawei Mate 60 Pro Makes Satellite Calls: Only US$0.18/minute
- Huawei Mate60 Pro: First Smart Phone Supports Satellite Calls
- 14000 cores + 450W: RTX 4080 graphics card perfectly replaces the RTX 3080
- Big upgrade: The difference between Bluetooth 5.0 and 5.2
- Geeks Disappointed that RTX 4080/4090 doesn’t come with PCIe 5.0
- What are advantages and disadvantages of different load balancing?
Google announces expansion of new bug bounty program for open source software
Google launched the Vulnerability Reward Program (VRP) back in 2010.
As the name suggests, it encourages researchers and cybersecurity experts to detect security issues and vulnerabilities and then report them privately to vendors.
Once reported, the bugs will be fixed by the company, and whoever finds the problem will receive a monetary reward.
Over the past few years, Google has been working to unify the platform and expand it to more platforms. Today, the company announced yet another expansion, this time in the open source software (OSS) space.
Google emphasizes that it is one of the largest contributors and maintainers of open source software, with projects such as Golang, Angular, and Fuchsia, so it understands the need to protect this area.
Therefore, its OSS VRP program is also designed to encourage efforts in this area.
OSS VRP focuses on any OSS code owned by Google. This includes not only the projects it maintains, but also any OSS dependencies maintained by other vendors.
The two categories of OSS covered by this VRP are defined as follows:
All the latest versions of open source software (including repository settings) stored in the public repositories of the Google-owned GitHub organization.
3rd party dependencies of these projects (affected relying parties need to be notified in advance before submitting to Google’s OSS VRP)
The types of submissions Google now accepts include supply chain compromises, design flaws, and general security issues such as weak or compromised credentials, or insecure deployments.
Rewards start at $100 and go up to $31,337, though caps are usually for more sensitive projects like Bazel, Angular, Golang, Protocol Buffers, and Fuchsia.
Google hopes this community-driven collaborative effort will help improve the security of open source software.
The initiative is part of a $10 billion cybersecurity investment announced by Google after a meeting with U.S. President Joe Biden a year ago.
Back in April, Google pledged to support the Open Source Security Foundation’s (OpenSSF) Package Analysis Project to detect malicious open source software packages as well.
If you are interested in participating in OSS VRP, you can view the requirements and other processes here:
- DIY a PBX (Phone System) on Raspberry Pi
- How to host multiple websites on Raspberry Pi 3/4?
- A Free Intercom/Paging system with Raspberry pi and old Android phones
- DIY project: How to use Raspberry Pi to build DNS server?
- Raspberry Pi project : How to use Raspberry Pi to build git server?
