Google will now pay safety researchers to search out and report bugs within the newest variations of Google-released open-source software program (Google OSS).
The corporate’s newly introduced Vulnerability Reward Program (VRP) focuses on Google software program and repository settings (like GitHub actions, utility configurations, and entry management guidelines).
It applies to software program out there on public repositories of Google-owned GitHub organizations in addition to some repositories from different platforms.
Safety vulnerabilities in Google OSS third-party dependencies are in scope for this program, with the situation that the bug stories are first despatched to the house owners of the weak packages, so the problems are addressed upstream earlier than informing Google of the findings.
“The highest awards will go to vulnerabilities present in essentially the most delicate initiatives: Bazel, Angular, Golang, Protocol buffers, and Fuchsia,” Google said at the moment.
Google’s OSS VRP focus is safety flaws that might have essentially the most important influence on the software program provide chain.
Subsequently, the corporate encourages bug bounty hunters to give attention to vulnerabilities that would result in provide chain compromise, design points inflicting product vulnerabilities, and safety points like leaked credentials, weak passwords, or insecure installations.
Primarily based on the severity degree of the reported flaws and the mission’s significance, the ultimate rewards vary from $100 to $31,337.
The bigger reward quantities will go to significantly fascinating and weird safety vulnerabilities, with small bonuses of as much as $1,000 additionally making use of to essentially the most fascinating and intelligent bugs.
|Class||Flagship OSS initiatives||Normal OSS initiatives|
|Provide chain compromises||$3,133.7 – $31,337||$1,337 – $13,337|
|Product vulnerabilities||$500 – $7,500||$101 – $3,133.7|
|Different safety points||$1,000||$500|
“Earlier than you begin, please see this system guidelines for extra details about out-of-scope initiatives and vulnerabilities, then get hacking and tell us what you discover. In case your submission is especially uncommon, we’ll attain out and work with you straight for triaging and response,” Google mentioned.
“Along with a reward, you may obtain public recognition on your contribution. You may also decide to donate your reward to charity at double the unique quantity.”
In February, Google additionally nearly doubled rewards for Linux Kernel, Kubernetes, Google Kubernetes Engine (GKE), or kCTF zero-day vulnerabilities and bug exploits utilizing distinctive exploitation methods.
Two months later, in April, the corporate introduced that Android 13 Beta bugs reported by way of its VRP will get a 50% bonus on prime of the usual reward till Might twenty sixth, 2022, with a most payout of $1.5 million for full distant code execution exploit chain on the Titan M utilized in Pixel Telephones operating Android 13 Beta builds.
Since launching its first VRP in 2010, Google has rewarded over $38 million to 1000’s of safety researchers from over 84 nations for reporting greater than 13,000 bugs.
In 2021 it awarded a record-breaking $8,700,000, together with a $157,000 payout for an Android exploit chain, the best in Android VRP historical past.