Google launches new Open Source Software Vulnerability Rewards Program (OSS VRP)

Google sign

Google is not alone in offering so-called bug bounty programs which give financial incentives to contributors to track down vulnerabilities and security issues in its software. Now the company has launched a new initiative called the Open Source Software Vulnerability Rewards Program (OSS VRP).

As the name suggests, this new program focuses on Google's open source projects. The company is offering rewards of between $100 and $31,337, depending on the severity of the vulnerability.

See also:

Google points out that it has already made over $38 million in payments relating to vulnerabilities found in the likes of Chrome and Android. The company say that the launch of this new program "addresses the ever more prevalent reality of rising supply chain compromises".

The larger pay outs for OSS VRP are reserved for what Google refers to as the "most sensitive projects". By this, the company means Bazel, Angular, Golang, Protocol buffers, and Fuchsia, but this is a list that will expand over time.

Google says:

To focus efforts on discoveries that have the greatest impact on the supply chain, we welcome submissions of:

- Vulnerabilities that lead to supply chain compromise

- Design issues that cause product vulnerabilities

- Other security issues such as sensitive or leaked credentials, weak passwords, or insecure installations

The company adds:

If your submission is particularly unusual, we'll reach out and work with you directly for triaging and response. In addition to a reward, you can receive public recognition for your contribution. You can also opt to donate your reward to charity at double the original amount.

Not sure whether a bug you've found is right for Google's OSS VRP? Don't worry, if needed, we'll route your submission to a different VRP that will give you the highest possible payout. We also encourage you to check out our Patch Rewards program, which rewards security improvements to Google’s open source projects (for example, up to $20K for fuzzing integrations in OSS-Fuzz).

More information is available on the program rules page

Image credit: Hackman / depositphotos

One Response to Google launches new Open Source Software Vulnerability Rewards Program (OSS VRP)

  1. Pingback: Google launches new Open Source Software Vulnerability Rewards Program (OSS VRP) - BetaNews - Web Design Egypt

© 1998-2024 BetaNews, Inc. All Rights Reserved. Privacy Policy - Cookie Policy.