Google launched its Vulnerability Reward Program (VRP) way back in 2010. As the name suggests, it encourages researchers and cybersecurity experts to detect security issues and exploits, and then report them privately to the vendor. Upon reporting, these bugs would then be fixed by the company and the person who identified the issue would be given a monetary award. Over the past few years, Google has worked on unifying the platform and expanding it to cover more platforms. Today, the company has announced yet another expansion, this time in the open source software (OSS) space.
Google has emphasized that it is one of the largest contributors and maintainers of OSS with projects like Golang, Angular, and Fuchsia under its wing, so it understands the need to secure this domain. As such, its OSS VRP program is designed to encourage dedicated effort on this front too.
OSS VRP focuses on any OSS code under Google's portfolio. This does not only include the projects it maintains but also any OSS dependencies maintained by other vendors. The two categories of OSS covered by this VRP are defined below:
- All up-to-date versions of open source software (including repository settings) stored in the public repositories of Google-owned GitHub organizations
- Those projects’ third-party dependencies (with prior notification to the affected dependency required before submission to Google’s OSS VRP)
The types of submissions that Google is accepting right now include supply chain compromise, design defects, and general security issues like weak or leaked credentials, or insecure deployments. Rewards start at $100 but go up to $31,337, with the upper threshold targeting more sensitive projects like Bazel, Angular, Golang, Protocol buffers, and Fuchsia.
Google hopes that this community-driven collaborative effort will help improve OSS security. The initiative is part of the $10 billion cybersecurity investment that Google announced a year ago after meeting with U.S. President Joe Biden. Back in April, Google pledged support for Open Source Security Foundation's (OpenSSF) Package Analysis Project to detect malicious open source packages too.
If you're interested in participating in OSS VRP, you can check out the requirements and other processes here.