Google on Monday launched a new bug bounty program for its open source projects, offering payouts ranging from $100 to $31,337 (a reference to eleet or leet) to secure the ecosystem against supply chain attacks .
Called the Open Source Software Vulnerability Rewards Program (OSS VRP), the offering is one of the first open source-specific vulnerability programs.
With the tech giant being the maintainer of major projects such as Angular, Bazel, Golang, Protocol Buffers and Fuchsia, the program aims to reward discoveries of vulnerabilities that could otherwise have a significant impact on the wider open source landscape.
Other projects managed by Google and hosted on public repositories such as GitHub as well as third-party dependencies included in these projects are also eligible.
Bug hunter submissions must meet the following criteria –
- Vulnerabilities that lead to supply chain compromise
- Design Issues Causing Product Vulnerabilities
- Other security issues such as sensitive or leaked credentials, weak passwords, or insecure installations
Hardening open source components, especially third-party libraries that act as the building blocks of many software, has become a top priority following the steady escalation of supply chain attacks targeting Maven, NPM, PyPI and RubyGems .
|Image credit: Sonatype|
The Log4Shell vulnerability in the Log4j Java logging library that was disclosed in December 2021 is a great example of this, causing widespread havoc and becoming a clarion call to improve the state of the software supply chain.
“Last year saw a 650% year-over-year increase in attacks targeting the open source supply chain, including high-profile incidents like Codecov and the Log4j vulnerability that showed the destructive potential of a single open source vulnerability,” said Francis Perron and Krzysztof Kotowicz of Google. said.
The move follows a similar rewards program Google instituted last November to uncover Kubernetes privilege escalation and evasion exploits in the Linux kernel. It has since increased the maximum amount from $50,337 to $91,337 through the end of 2022.
Earlier in May, the internet giant also announced the creation of a new “Open Source Maintenance Team” to focus on hardening the security of critical open source projects.