Friday, October 13, 2023
HomeCyber SecurityAsserting Google’s Open Supply Software program Vulnerability Rewards Program

Asserting Google’s Open Supply Software program Vulnerability Rewards Program


At present, we’re launching Google’s Open Supply Software program Vulnerability Rewards Program (OSS VRP) to reward discoveries of vulnerabilities in Google’s open supply initiatives. Because the maintainer of main initiatives equivalent to Golang, Angular, and Fuchsia, Google is among the many largest contributors and customers of open supply on the planet. With the addition of Google’s OSS VRP to our household of Vulnerability Reward Applications (VRPs), researchers can now be rewarded for locating bugs that might probably affect your complete open supply ecosystem.

Google has been dedicated to supporting safety researchers and bug hunters for over a decade. The unique VRP program, established to compensate and thank those that assist make Google’s code safer, was one of many first on the planet and is now approaching its twelfth anniversary. Over time, our VRP lineup has expanded to incorporate applications targeted on Chrome, Android, and different areas. Collectively, these applications have rewarded greater than 13,000 submissions, totaling over $38M paid. 

The addition of this new program addresses the ever extra prevalent actuality of rising provide chain compromises. Final yr noticed a 650% year-over-year improve in assaults focusing on the open supply provide chain, together with headliner incidents like Codecov and the Log4j vulnerability that confirmed the damaging potential of a single open supply vulnerability. Google’s OSS VRP is a part of our $10B dedication to bettering cybersecurity, together with securing the availability chain towards some of these assaults for each Google’s customers and open supply customers worldwide.

Tasks

Google’s OSS VRP encourages researchers to report vulnerabilities with the best actual, and potential, affect on open supply software program below the Google portfolio. This system focuses on:

  • All up-to-date variations of open supply software program (together with repository settings) saved within the public repositories of Google-owned GitHub organizations (eg. Google, GoogleAPIs, GoogleCloudPlatform, …).

The highest awards will go to vulnerabilities present in essentially the most delicate initiatives: Bazel, Angular, Golang, Protocol buffers, and Fuchsia. After the preliminary rollout we plan to increase this record. Remember to examine again to see what’s been added.

Vulnerabilities 

To focus efforts on discoveries which have the best affect on the availability chain, we welcome submissions of:

  • Vulnerabilities that result in provide chain compromise

  • Design points that trigger product vulnerabilities

  • Different safety points equivalent to delicate or leaked credentials, weak passwords, or insecure installations

Relying on the severity of the vulnerability and the mission’s significance, rewards will vary from $100 to $31,337. The larger quantities may also go to uncommon or significantly attention-grabbing vulnerabilities, so creativity is inspired.

Earlier than you begin, please see the program guidelines for extra details about out-of-scope initiatives and vulnerabilities, then get hacking and tell us what you discover. In case your submission is explicitly uncommon, we’ll attain out and work with you straight for triaging and response. Along with a reward, you’ll be able to obtain public recognition to your contribution. You may as well decide to donate your reward to charity at double the unique quantity.

Unsure whether or not a bug you’ve discovered is true for Google’s OSS VRP? Don’t fear, if wanted, we’ll route your submission to a unique VRP that will provide you with the very best potential payout. We additionally encourage you to take a look at our Patch Rewards program, which rewards safety enhancements to Google’s open supply initiatives (for instance, as much as $20K for fuzzing integrations in OSS-Fuzz).

 

Google is proud to each help and be part of the open supply software program group. By way of our current bug bounty applications, we’ve rewarded bug hunters from over 84 international locations and sit up for growing that quantity by means of this new VRP. The group has repeatedly stunned us with its creativity and dedication, and we can’t wait to see what new bugs and discoveries you could have in retailer. Collectively, we may also help enhance the safety of the open supply ecosystem. 

Give it a strive, and pleased bug searching! 



Supply hyperlink

RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

- Advertisment -
Google search engine

Most Popular

Recent Comments