Google launches new Open Source Software Vulnerability Rewards Program (OSS VRP)

Google is not alone in offering so-called bug bounty programs which give financial incentives to contributors to track down vulnerabilities and security issues in its software. Now the company has launched a new initiative called the Open Source Software Vulnerability Rewards Program (OSS VRP).

As the name suggests, this new program focuses on Google's open source projects. The company is offering rewards of between $100 and $31,337, depending on the severity of the vulnerability.

See also:

• Microsoft explains the SMB compression changes introduced by Windows Server 2022 KB5016693 and Windows 11 KB5016691 updates
• Microsoft releases KB5016688 update to fix a slew of Windows 10 problems
• How to enable the amazing animation effects Microsoft has hidden in Windows 11

Google points out that it has already made over $38 million in payments relating to vulnerabilities found in the likes of Chrome and Android. The company say that the launch of this new program "addresses the ever more prevalent reality of rising supply chain compromises".

The larger pay outs for OSS VRP are reserved for what Google refers to as the "most sensitive projects". By this, the company means Bazel, Angular, Golang, Protocol buffers, and Fuchsia, but this is a list that will expand over time.

Google says:

To focus efforts on discoveries that have the greatest impact on the supply chain, we welcome submissions of:

- Vulnerabilities that lead to supply chain compromise

- Design issues that cause product vulnerabilities

- Other security issues such as sensitive or leaked credentials, weak passwords, or insecure installations

The company adds:

If your submission is particularly unusual, we'll reach out and work with you directly for triaging and response. In addition to a reward, you can receive public recognition for your contribution. You can also opt to donate your reward to charity at double the original amount.

Not sure whether a bug you've found is right for Google's OSS VRP? Don't worry, if needed, we'll route your submission to a different VRP that will give you the highest possible payout. We also encourage you to check out our Patch Rewards program, which rewards security improvements to Google’s open source projects (for example, up to $20K for fuzzing integrations in OSS-Fuzz).

More information is available on the program rules page

Image credit: Hackman / depositphotos