Google's new bug bounty program targets open source vulnerabilities2022-08-30 17:53 by Daniela
Tags: bug bounty, VRP
Google on Tuesday announced it's launching a new bug bounty program that focuses specifically on open source software.
Google says that it has started this program due to hackers increasingly seeing open-source software used by companies as attack vendors. The company cites a study that has seen a 650% increase of attacks targeting open-source supply chains in 2021 compared to 2020. To make sure Google is less likely to be hit, it's making its open-source projects part of its Open Source Software Vulnerability Rewards Program (VRP).
Bug hunters can earn anywhere from $100 to upwards of $31,000 via the new program, depending on the severity of the vulnerability they find, as well as the importance of the project it was found in (Fuchsia and the like are considered "flagship" projects and thus have the biggest payouts). There are also some additional rules around bounties for supply chain vulnerabilities - researchers will have to inform whoever's actually in charge of the third-party project first before telling Google. They also have to prove that the issue affects Google's project; if there's bug in a part of the library the company's not using, it won't be eligible for the program.
At first, Google will focus on the most widely used and critical projects, says Francis Perron, open source security technical program manager at Google.
"We want to offer a high-quality bug-hunting experience, so we picked projects which had enough maturity in their response and their processes to test this program," he says. "Broadening the scope will happen after we compile enough data internally, and make sure we can scale up without harming the projects, and the researchers."
Read more -here-