Search engine giant Google has announced a new open source bug bounty program to reward researchers who will discover and report vulnerabilities in its open-source projects like Bazel, Angular, Golang, Protocol Buffers, and Fuchsia. The aim of the program is to combat a rising threat of supply chain attacks, Google says.
“Last year saw a 650% year-over-year increase in attacks targeting the open source supply chain, including headliner incidents like Codecov and the Log4j vulnerability that showed the destructive potential of a single open source vulnerability,” the tech giant said.
The program focuses on up-to-date versions of open source software (including repository settings) stored in the public repositories of Google-owned GitHub organizations, as well as those projects’ third-party dependencies (with prior notification to the affected dependency required before submission to Google’s OSS VRP).
The new bug bounty program covers bugs that lead to supply chain compromise, design issues that cause product vulnerabilities, and other security issues such as such as sensitive or leaked credentials, weak passwords, or insecure installations.
The payouts will range from $100 to $31,337 depending on the severity of the security issue and project’s importance.