Google launched the Vulnerability Reward Program (VRP) as early as 2010. As the name suggests, it encourages researchers and cybersecurity experts to detect security issues and vulnerabilities and then report them privately to vendors.
JOIN XIAOMI ON TELEGRAM
Once reported, these bugs will be fixed by the company, and whoever finds the problem will receive a monetary reward. Over the past few years, Google has been working on unifying the platform and expanding it to more platforms. Now, Google has announced yet another expansion, this time in open source software (OSS).
Google emphasizes that it is one of the largest contributors and maintainers of OSS, with projects such as Golang, Angular, and Fuchsia, and understands the need to protect this area. Therefore, its OSS VRP program also aims to encourage dedicated efforts in this area.
OSS VRP focuses on any OSS code under Google’s portfolio. This includes not only projects it maintains, but also any OSS dependencies maintained by other vendors. The two types of OSS covered by this VRP are defined as follows:
- All the latest versions of open source software (including repository settings) are stored in the public repositories of the Google-owned GitHub organization
- 3rd party dependencies of these projects (affected dependencies need to be notified before submission to Google’s OSS VRP)
The types of submissions Google currently accepts include vendor vulnerabilities, design flaws, and general security issues such as weak or compromised credentials, or insecure deployments. Rewards start at $100 and go up to $31,337, with an upper limit for more sensitive projects such as Bazel, Angular, Golang, Protocol buffers, and Fuchsia.
Google hopes this community-driven collaborative effort will help improve OSS security. The plan is part of a $10 billion cybersecurity investment announced by Google after a meeting with the U.S. president a year ago. Back in April, Google pledged to support the Open Source Security Foundation’s (OpenSSF) package analysis project to detect malicious open source packages.
