Google expands its portfolio of rewards programs
Google has reaffirmed its commitment to open source and has it released a new program to support security researchers and hunters of errors offering cash rewards anyone who might discover vulnerabilities in the open source software projects he leads.
The Rewards Program announced is the latest addition to Google's family of vulnerability bounty programs and focuses on rewarding researchers that find bugs that could harm some of the world's most widely used open source projects.
Established to compensate and thank those who help make Google's code more secure, the original VRP program was one of the first in the world and is now approaching its 12th anniversary. Over time, our VRP lineup has expanded to include programs focused on Chrome, Android, and other areas. Collectively, these programs have rewarded more than 13 submissions, with a total payout of more than $000 million.
As many will know, Google is primarily responsible for numerous major open source projects, such is the example of Android, Golang, the TypeScript-based web application framework Angular, and the Fuchsia operating system for smart home devices like Nest.
Today we're launching Google's Open Source Software Vulnerability Reward Program (OSS VRP) to reward vulnerability discoveries in Google's open source projects. As responsible for major projects such as Golang, Angular, and Fuchsia, Google is among the largest contributors and users of open source in the world. With the addition of Google's OSS VRP to our family of Vulnerability Bounty Programs (VRPs), researchers can now be rewarded for finding bugs that could potentially affect the entire open source ecosystem.
Vulnerabilities are a big problem, Google explained in a blog post. Said there was a 650% increase in targeted attacks to the open source software supply chain last year, resulting in major incidents such as the Log4Shell vulnerability being exploited.
"Bug hunting is a popular tool not only for improving the quality of software offerings, but also for increasing developer familiarity while acting as an incentive for deeper interaction with the code," said Holger Mueller of Constellation. Research Inc. “In this regard, it's good to see that Google offers another bug search, labeled Open Source Software Vulnerability Program. All the parameters are attractive, the developer communities are fickle, so we will see how the response will be and, more importantly, what flaws and further adoption of the underlying platforms can be obtained.”
The OSS VRP program announced today is part of that commitment.
For its part, Google encourages researchers to review its open source software code and report any vulnerabilities that they discover Google said it will pay bounties based on the severity of the vulnerability and the importance of the project, ranging from $100 to $31,337. Larger bounties will also be paid to more "unusual or particularly interesting vulnerabilities," for which Google encourages researchers to get creative.
In addition to rewards, users can also receive public recognition for their discoveries if they so choose. For those who want to donate their reward to charity, Google said it will match those contributions from its own cash pile.
Google explained that researchers should focus their efforts on the most up-to-date versions of the open source software projects it leads, which can be found in public repositories on Google's GitHub page. The bug hunt also extends to the third-party dependencies of those projects.
Finally If you are interested in being able to know more about it about the note, you can consult the statement issued by Google in the following link