Jump to content
  • Google Launches Major Open Source Bug Bounty Program

    aum

    • 251 views
    • 2 minutes
     Share


    • 251 views
    • 2 minutes

    Google today announced a new program designed to reward researchers that find bugs in its open source projects.


    The Open Source Software Vulnerability Rewards Program (OSS VRP) will incentivize ethical hackers to make open source code more secure in major projects that Google maintains such as Golang, Bazel, Angular, Fuchsia and Protocol buffers.


    The OSS VRP will specifically focus on all up-to-date versions of open source software and repository settings stored in the public repositories of Google-owned GitHub organizations, as well as these projects’ dependencies.


    Google said it welcomes submissions of:

     

    • Vulnerabilities that lead to supply chain compromise
    •  Design issues that cause product vulnerabilities
    •  Other issues such as sensitive or leaked credentials, weak passwords or insecure installations

     

    “Depending on the severity of the vulnerability and the project’s importance, rewards will range from $100 to $31,337,” the tech giant said. “The larger amounts will also go to unusual or particularly interesting vulnerabilities, so creativity is encouraged.”


    The OSS VRP will sit alongside Google’s VRPs in Chrome, Android and other parts of the business. Since the first was launched around 12 years ago, these programs have rewarded over 13,000 submissions and paid out more than $38m in the process.


    Open source vulnerabilities are big news following the Log4Shell exploit and the subsequent fallout. Many DevOps teams now use third-party open source components to accelerate time-to-market for their offerings, but repositories often contain bugs.


    One vendor detected a 650% year-on-year increase in attacks where threat actors have deliberately planted buggy code in upstream libraries so that they can exploit it at a later date.


    Another report from June claimed that the average application development project contains 49 vulnerabilities spanning 80 direct dependencies. It added that time taken to fix open source vulnerabilities is almost 20% longer than in proprietary projects, and lengthened from 49 days in 2018 to 110 days in 2021.

     

    Source


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...