Google Vulnerability Reward Program Focuses on Open Source Software


Google’s bug bounty program will be expanded to include a special open source section called the Open Source Software Vulnerability Reward Program (OSS VRP)the company announced on its security blog.

Thanks to this program, security researchers will receive a reward for having found security flaws in open source projects maintained by Google as well as their dependencies.

Rewards of up to $31,337 will be offered to researchers who can find bugs in the open source ecosystem.

Google launches rewards program for OSS

Google initially wants to pay the highest amounts for what it considers the most important projects, which include Bazel, Angular, the Go programming language, Protocol Buffers and Fuchsia.

To focus its efforts on discoveries that have the greatest impact on the supply chain, Google specifically looks for “vulnerabilities that lead to supply chain compromise, design issues that lead to product vulnerabilities and other security issues such as sensitive or leaked credentials, weak passwords, or insecure installations.

The company was one of the first to launch a bug bounty program and has offered the so-called Vulnerability Reward Program (VRP) for twelve years. Meanwhile, the scope of software that falls under the program has been expanded again and again.

The new open-source program includes all public projects in a Google-owned GitHub repository.

In addition, dependencies of public projects are also explicitly included, provided that their maintainers are informed in advance by researchers of their participation in the Google program.

supply chain security software

The fact that Google is also opening up the extended bug bounty program to dependencies shows a shift in awareness of the so-called software supply chain.

According to Google, attacks against the software supply chain increased by 650% in the last year alone and included attacks against Codecov and the Log4j vulnerability.

The company is also one of the initiators of the Open Source Security Foundation (OpenSSF), which invests a lot of money in improving open source security.

“At first glance, this looks like a great addition,” said Mike Parkin, senior technical engineer at Vulcan Cyber, a SaaS provider for enterprise cybersecurity risk remediation. “One of the benefits of OSS is that there are many eyes on the code and vulnerabilities are often discovered and fixed quickly.”

He says adding a bug bounty to open source projects gives researchers and coders more incentive to find and report issues before they become exploits in the wild.

“Google is a major contributor to the OSS community, and it really puts its money where it’s at,” he added.

Casey Bisson, head of product and developer enablement at BluBracket, a provider of code security solutions, pointed out that the global software is largely open source-based.

“As responsible for a number of open source projects, Google’s bounty program is a necessary response to the growing risk of software supply chain attacks,” he said.

He added that Google had opened several projects in order to expand its ecosystem and influence.

“Now offering security bounties for these projects gives them a similar level of protection that Google offers for its other ‘as a service’ offerings,” Bisson explained.

Parkin said that beyond funding bug bounty programs for open source projects, large vendors could do even more to support the communities that keep open source alive.

“Some of them are already doing it, which is great, but there are a lot of tech companies that are benefiting from OSS projects without really giving much back,” he added. “There are many open source projects that aren’t backed by a big organization, but still add a lot of value to the OSS ecosystem.”

From Parkin’s perspective, it would be good to have some kind of bug bounty pool that could pay for vulnerabilities discovered in these projects.

“While it might be difficult to manage something like this, there’s no doubt that it would be a benefit to the community as a whole,” he said.

Bisson agreed that businesses of all types should consider offering security bonuses for the systems they depend on.

“People who investigate security breaches seek to be paid, so offering a bounty to the person who discovers it can help uncover risks that might otherwise be sold to bad actors,” he explained.

These malicious actors could use the vulnerability for escalated attacks, including ransomware, source code and secrets, extraction of customer and employee records, and other attacks against adjacent systems and partners.

“Google’s bounty program is a good step to protect their software, but the vast open source landscape that businesses depend on remains at risk,” Bisson said.


Comments are closed.