Share news article

Share on facebook
Share on twitter
Share on linkedin
Share on email

Google Launches New Open Source Bug Bounty to Tackle Supply Chain Attacks

Google on Monday introduced a new bug bounty program for its open source projects, offering payouts anywhere from $100 to $31,337 (a reference to eleet or leet) to secure the ecosystem from supply chain attacks.

Called the Open Source Software Vulnerability Rewards Program (OSS VRP), the offering is one of the first open source-specific vulnerability programs.

With the tech giant the maintainer of major projects such as Angular, Bazel, Golang, Protocol Buffers, and Fuchsia, the program aims to reward vulnerability discoveries that could otherwise have a significant impact on the larger open source landscape.

Other projects managed by Google and hosted on public repositories such as GitHub as well as the third-party dependencies that are included in those projects are also eligible.

Submissions from bug hunters are expected to meet the following criteria –

  • Vulnerabilities that lead to supply chain compromise
  • Design issues that cause product vulnerabilities
  • Other security issues such as sensitive or leaked credentials, weak passwords, or insecure installations

Beefing up open source components, especially third-party libraries that act as the building block of many a software, has emerged a top priority in the wake of steady escalation in supply chain attacks targeting Maven, NPM, PyPI, and RubyGems.

Image credit: Sonatype

The Log4Shell vulnerability in the Log4j Java logging library that came to light in December 2021 is a prime example, causing widespread havoc and becoming a clarion call for improving the state of the software supply chain.

“Last year saw a 650% year-over-year increase in attacks targeting the open source supply chain, including headliner incidents like Codecov and the Log4j vulnerability that showed the destructive potential of a single open source vulnerability,” Google’s Francis Perron and Krzysztof Kotowicz said.

The move follows a similar rewards program Google instituted last November for uncovering privilege escalation and Kubernetes escape exploits in the Linux Kernel. It has since upped the maximum amount from $50,337 to $91,337 until the end of 2022.

Earlier this May, the internet behemoth also announced the creation of a new “Open Source Maintenance Crew” to focus on bolstering the security of critical open source projects.

Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.

Related News

Portion of Twitter’s proprietary source code leaked on GitHub

Portion of Twitter’s proprietary source code leaked on GitHub

Reportedly, the source code remained public for several months before being taken down by GitHub. According to a news report…
Pwn2Own 2023: Tesla Model 3, Windows 11, Ubuntu and more Pwned

Pwn2Own 2023: Tesla Model 3, Windows 11, Ubuntu and more Pwned

At Pwn2Own 2023, participants were awarded a full bounty (more than $1,000,000) in each round for successful exploits. Pwn2Own, as…
Latitude Financial Data Breach: 14 Million Customers Affected

Latitude Financial Data Breach: 14 Million Customers Affected

The Australian consumer lender, Latitude Financial, has suffered a major cyber attack, leading to a data breach of passport and…