Google announces open source vulnerability reward program after Log4j, Codecov issues
Google announced on Tuesday that it is launching an open source software vulnerability bug bounty program, offering cybersecurity researchers up to $31,337 in rewards for spotting bugs that can lead to supply chain compromises or other issues.
The Open Source Software Vulnerability Rewards Program (OSS VRP) is one of the first prominent open source-specific vulnerability programs of its kind, according to Google.
The tech giant currently maintains several open source projects including Golang, Angular, and Fuchsia while also serving as one of the largest contributors and users of open source projects in the world.
The program will be focused on all up-to-date versions of open source software stored in the public repositories of Google-owned GitHub organizations and those projects’ third-party dependencies.
While the top awards will go to bugs found in Bazel, Angular, Golang, Protocol buffers, and Fuchsia, the company plans to expand the list after the initial rollout.
Google is looking for vulnerabilities that may lead to supply chain compromise or design issues that may cause product vulnerabilities. The program will also accept other security issues such as sensitive or leaked credentials, weak passwords, or insecure installations.
"With the recent incidents in open source security (e.g. Log4Shell, Codecov), we’ve noticed more security researchers are interested in open source. We want to further encourage that interest, and having a clear scope and rewards for those researchers is part of that,” a Google spokesperson told The Record.
Hackers that find unusual vulnerabilities will be contacted directly by Google as they work on fixing the issue. Google is also offering public recognition in addition to bug bounties.
The company said its use of $31,337 is a nod to internet security culture, and the program will allow participants to donate their rewards to charity for double the original amount.
“The community has continuously surprised us with its creativity and determination, and we cannot wait to see what new bugs and discoveries you have in store. Together, we can help improve the security of the open source ecosystem,” the company said.
Inspired by Log4j
Google said it was inspired to start the program due to the growing prevalence of open source bugs that have caused widespread controversy, including Log4j vulnerabilities and Codecov. Earlier this month, Rob Silvers, the undersecretary for policy at the U.S. Department of Homeland Security, called Log4j “endemic” and said it may take a “decade or longer” to fully resolve due to its ubiquity.
Google explained that the new program will allow researchers to be rewarded for finding bugs like Log4j “that could potentially impact the entire open source ecosystem.”
The tech giant noted that attacks targeting open source supply chains have increased by 650% in 2021.
“We expect this new program to surface critical vulnerabilities in open source software, thereby helping to improve the overall security posture of the open source ecosystem,” Google said.
The OSS program joins several other vulnerability reward programs that Google began nearly 12 years ago. The bug bounty programs include ones focused on Chrome, Android and other Google products.
So far, Google has paid out $38 million for more than 13,000 submissions from people in more than 84 countries.
The open source project is part of Google’s larger $10 billion effort to improve cybersecurity. Since the Log4j fiasco, Google announced plans to create a new “Open Source Maintenance Crew” tasked with improving the security of critical open source projects.
Google also unveiled two other projects in May — Google Cloud Dataset from Open Source Insights — designed to help developers better understand the structure and security of the software they use.
The tech giant added that it would be improving the OSS-Fuzz service for open source developers that has helped researchers spot more than 2,300 vulnerabilities in over 500 projects over the last year.
Jonathan Greig is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.