Google launches open-source software bug bounty program

Google bug bounty program

Google bug bounty program

Google will now pay security researchers to find and report bugs in the latest versions of Google-released open-source software (Google OSS).

The company’s newly announced Vulnerability Reward Program (VRP) focuses on Google software and repository settings (like GitHub actions, application configurations, and access control rules).

It applies to software available on public repositories of Google-owned GitHub organizations as well as some repositories from other platforms.

Google Cloud Blocks Record DDoS attack of 46 Million Requests Per Second

Security vulnerabilities in Google OSS third-party dependencies are in scope for this program, with the condition that the bug reports are first sent to the owners of the vulnerable packages, so the issues are addressed upstream before informing Google of the findings.

“The top awards will go to vulnerabilities found in the most sensitive projects: Bazel, Angular, Golang, Protocol buffers, and Fuchsia,” Google said today.

Google’s OSS VRP focal point is security flaws that would have the most significant impact on the software supply chain.

Therefore, the company encourages bug bounty hunters to focus on vulnerabilities that could lead to supply chain compromise, design issues causing product vulnerabilities, and security issues like leaked credentials, weak passwords, or insecure installations.

Based on the severity level of the reported flaws and the project’s importance, the final rewards range from $100 to $31,337. 

The larger reward amounts will go to particularly interesting and unusual security vulnerabilities, with small bonuses of up to $1,000 also applying to the most interesting and clever bugs.

“Before you start, please see the program rules for more information about out-of-scope projects and vulnerabilities, then get hacking and let us know what you find. If your submission is particularly unusual, we’ll reach out and work with you directly for triaging and response,” Google said.

“In addition to a reward, you can receive public recognition for your contribution. You can also opt to donate your reward to charity at double the original amount.”


Google bug bounty program

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts