Under its Vulnerability Rewards Program, Google provides support for its open-source projects (VRP). For discovering defects and vulnerabilities throughout the whole open-source software (Google OSS) ecosystem, the corporation will reward security experts. This applies to software kept in both repositories hosted on different platforms and the open repositories of GitHub organizations controlled by Google. Under this bug bounty program, vulnerabilities in repository configuration settings are also addressed.

In addition, VRP will cover security weaknesses in Google OSS third-party dependencies. According to the organization, a crucial component of a software package’s security is the security of its dependencies. It only seems sense to include those as well. However, before bringing up the issue to Google for reward, security researchers must first disclose the vulnerability to the vendor of the third-party dependencies and assure a fix for it. After the third-party vendor releases a patch, you have 30 days to report the issue to Google. Additionally, you must be able to show that Google OSS can be used to exploit the third-party vulnerability.

Google explains in detail on its Bug Hunters website that you will now be qualified for prizes under the VRP if you find vulnerabilities in third-party services or platforms used to maintain and develop Google OSS. We are unable to provide you permission to perform security research on other users’ or businesses’ property, according to the Android developer.

Advertisement In terms of qualifying vulnerabilities, Google will compensate researchers for discovering problems with its open-source software such as supply chain compromises, product vulnerabilities, and other security flaws. Open-source supply chains have developed into a key target for hackers to utilize as attack providers, according to Android Police, who was the first to reported this expansion of Google’s VRP. In 2021, there was a 650 percent annual rise in these attacks. Insuring the security of Google software might be greatly improved by including open-source projects under VRP.

Discovering a bug in Google’s open-source software might result in substantial rewards. Google offers several incentive tiers with different payments, as usual. You might receive prizes of more than $31,000 for finding vulnerabilities in prominent OSS projects like Bazel, Angular, Golan, Protocol buffers, and Fuchsia. Standard OSS projects are eligible for rewards up to $13,337, but low-priority OSS projects are not eligible for rewards up to that level, according to the business. The type of vulnerability affects the award amount as well. More money can be made from supply chain hacks than from product vulnerabilities and other security problems.

For further information, security researchers can visit Google’s AA2. The technical details on the project tiers, qualifying vulnerabilities, bug reporting, and more are all provided there.



You may also like