December 8, 2022
Google launches Bug Bounty program to find bugs in open source projects

Google has launched a new bug bounty program for security researchers to find bugs/vulnerabilities in Open Source projects.

In Google’s latest bug bounty program, Google will pay up to $31,337 (about Rs 25 lakh) to researchers who find security bugs.

The newly announced Vulnerability Reward Program (VRP) will focus on Google software and repository settings like GitHub actions, application configurations, and access control rules.

With the top awards going to bugs found in Bazel, Angular, Golang, Protocol buffers, and Fuchsia, the list is expected to expand after the initial rollout.

Last year, Google saw a 650 percent year-over-year increase in attacks targeting the open source supply chain.

The open source vulnerability rewards program (VRP) is an extension of the existing Google VRP launched nearly 12 years ago.

Under the new system, the highest payouts will be going to researchers who find bugs in the most sensitive projects including Bazel, Angular, Golang, Protocol buffers, and Fuchsia, with other rewards going to bugs that are “unusual or particularly interesting”.

Google said it’s OSS VRP is part of “our $10 billion commitment to improving cybersecurity, including securing the supply chain against these types of attacks for both Google’s users and open source consumers worldwide”.

Google is one of the biggest contributors and consumers of open source in the world, serving as the manager of important projects including Golang, Angular, and Fuchsia.

New VRP program joins our family: Get rewards for finding vulns in our open source software!

Originally tweeted by Google VRP (Google Bug Hunters) (@GoogleVRP) on August 30, 2022.

Leave a Reply

Your email address will not be published. Required fields are marked *