Google Will Now Pay Bounties for Open Source Software Bugs on Its Platform

Google will now pay bounties for open source software bugs on its platform. That being said, you now have the chance to win and earn up to $31,337 for locating a bug in the open source software of Google.

Google Will Now Pay Bounties for Open Source Software Bugs on Its Platform

Google Will Now Pay Bounties for Open Source Software Bugs on Its Platform

The tech company now has launched a new program that will help bounties for bugs that are found in its open source projects.

The Open Source Software Vulnerability Rewards Program (OSS VRP) by Google is a recent addition to the company’s existing VRPs offering up cash for discoveries on its platform. Google said that its first VRP is aimed at those people who helped Google to secure its code which is one of the first in the world. Already in the second decade of its operation, the tech company is keen to highlight its commitment to supporting security researchers and bug hunters.

Open Source Software Vulnerability Rewards Program

Google however says that VRPS help to cover several Chrome and android code across wider operations of the company which has so far resulted in more than $38 million being paid to over 13,000 contributors from 84 countries in total. Furthermore, the company has made a pledge in investing $10 billion in improving cybersecurity among its own owners and also to consumers of open source software.

Codecov and Log4j have been cited by Google as two of the most significant incidents which have immensely contributed to the 650% year-on-year increase in OSS supply chain-targeted attacks last year.

Google Says the OSS VRP Focuses On “All Up-To-Date Versions” Of OSS

The Security Blog of Google says that the OSS VRP focuses on “all up-to-date versions” of OSS that are stored in the Google-owned GitHub organization spaces, just like GoogleAPIs and GoogleCloudPlatform, although the “top awards” are reserved for the most important projects Which Google has ultimately set out to be Bazel, Angular, Golang, Protocol buffers, and Fuchsia; a list that is expected to expand more after the initial rollout of the program.

What Is the Main Target for Hunters

The targets for hunters of any kind include: “vulnerabilities that lead to supply chain compromise; design issues that cause product vulnerabilities; [and] other security issues such as sensitive or leaked credentials, weak passwords, or insecure installations.”

How Much Is the Program Worth

The rewards for this program range from a measly $100 to a substantial $31,337. The rewards however depend on the severity of the vulnerability that is uncovered. However, any applicable bugs that are found that do not relate specifically to this VRP shall not be wasted, with Google on its own end promising to redirect any findings to the relevant VRP.


Please enter your comment!
Please enter your name here