Google will pay up to $31,000 to those who find vulnerabilities in its open source software

Google has launched its new Vulnerability Bounty Program for its open source software. The company will pay up to more than US$31,000 as an incentive to those who find bugs in its ecosystem and report them.

“Today we are launching  the Open Source Software Vulnerability Rewards Program (OSS VRP) to reward vulnerability discoveries in Google’s open source projects. As responsible for major projects like Golang, Angular and Fuchsia, Google is among the largest contributors and users of open source in the world. With the addition of Google’s OSS VRP to our family of Vulnerability Bounty Programs (VRPs), researchers can now be rewarded for finding bugs that could potentially affect the entire open source ecosystem,” said Francis Perron, program manager. open source security technician, and Krzysztof Kotowicz, information security engineer, in a statement from Google.

Reward amounts range up to more than $31,000. “Depending on the severity of the vulnerability and the importance of the project, the rewards will range from US$100 to US$31,337. The largest amounts will also go towards unusual or particularly interesting vulnerabilities, so creativity is encouraged.

Google’s overall VRP program has been rewarding bug finders for over a decade. “Google has been committed to supporting security researchers and bug hunters for more than a decade. The original VRP program, established to compensate and thank those who help make Google’s code more secure, was one of the first in the world and is now approaching its 12th anniversary,” they add.

This program has awarded millions of dollars. “Over time, our VRP lineup has expanded to include programs focused on Chrome, Android, and other areas. Collectively, these programs have rewarded more than 13,000 reports, with a total paid amount of more than US$38 million”, they add.

The program focused on open source software was fueled by targeted attacks in 2021. “The addition of this new program addresses the increasingly prevalent reality of growing supply chain compromises. Last year saw a 650% year-over-year increase in attacks targeting the open source supply chain, including high-profile incidents like Codecov and the Log4j vulnerability that showcased the destructive potential of a single open source vulnerability,” they note.

Therefore, they will invest a large amount of money to guarantee their safety. “Google’s OSS VRP is part of our $10 billion commitment to improve cybersecurity, including supply chain protection against these types of attacks, for both Google users and open source consumers around the world. everyone,”