Site icon TechNewsBoy.com

Google will now pay bounties for open source software bugs

Google has launched a new program that will pay bounties for bugs found in its open source projects. 

The Open Source Software Vulnerability Rewards Program (opens in new tab) (OSS VRP) is the latest addition to the tech giant’s existing VRPs offering up cash for discoveries.

The company says that its first VRP, aimed at those who helped secure Google’s code, was one of the first in the world. Already in its second decade of operation, Google is keen to highlight its commitment to supporting security researchers and bug hunters.

Google OSS bugs

Google says the VRPs cover various Chrome and Android code across the company’s wider operations, which have resulted in over $38 million being paid out to more than 13,000 contributions, from a total of 84 countries.

Furthermore, Google has pledged to invest $10 billion to improve cybersecurity among its own users and open source software consumers. 

Google cites Codecov and Log4j as two of the most prominent incidents which have contributed to last year’s 650% year-on-year increase in OSS supply chain-targeted attacks. 

Google’s Security Blog (opens in new tab) says the OSS VRP focuses on “all up-to-date versions” of OSS stored in the Google-owned GitHub organization spaces, such as GoogleAPIs and GoogleCloudPlatform, though the “top awards” are reserved for the most sensitive projects, which Google sets out to be Bazel, Angular, Golang, Protocol buffers, and Fuchsia; a list that’s expected to expand after the initial program rollout.

The targets for any hunters include: “vulnerabilities that lead to supply chain compromise; design issues that cause product vulnerabilities; [and] other security issues such as sensitive or leaked credentials, weak passwords, or insecure installations.”

Rewards range from a measly $100 to a substantial $31,337, depending on the severity of the vulnerability uncovered, however any applicable bugs that are found that do not relate specifically to this VRP shall not be wasted, with Google promising to redirect any findings to the relevant VRP (and pot of cash). 

For all the latest Technology News Click Here 

 For the latest news and updates, follow us on Google News

Read original article here

Denial of responsibility! TechNewsBoy.com is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – abuse@technewsboy.com. The content will be deleted within 24 hours.
Exit mobile version