There are rewards of up to 31 thousand dollars, Google will pay whoever reports bugs in its open source software
Google will now pay security researchers who find and report bugs in the latest versions of Google’s open source software (Google OSS). This will be done through the Vulnerability Reward Program (VRP ) that the company has announced.
This program focuses on Google software and repository setup . For example, in software available in public repositories on GitHub that are owned by Google, as well as in some repositories on other platforms.
Google will pay whoever reports bugs in its open source software
Of course, to get the payment money that Mountain View offers, the bug reports will have to be sent first to the owners of the vulnerable packages , so that the problems are addressed by themselves, before reporting the findings to Google. .
«The biggest prizes will go to vulnerabilities found in the most sensitive projects: Bazel, Angular, Golang, Protocol buffers, and Fuchsia» Google said today.
Importance of failures in the supply chain
The focus of the Google OSS Vulnerability Bounty Program is the security flaws that would have the most significant impact on the software supply chain.
Specifically, the company encourages researchers to focus on vulnerabilities that could compromise the supply chain, design issues that cause product vulnerabilities, and security issues such as credential leaks , weak passwords, or hacks. unsafe facilities.
When we talk about supply chain attacks , attackers compromise the security of a third party and thereby manage to infiltrate the systems that use their services.
Depending on the severity level of reported bugs and the importance of the project, final rewards range from $100 to $31,337.
According to Google, «in addition to a reward, you can receive public recognition for your contribution. You can also choose to donate your reward to a charity for double the original amount.»