Google Launches Bug Bounty Program for Open Source Projects
Residence › Utility Safety
Google Launches Bug Bounty Program for Open Supply Initiatives
By Ionut Arghire on August 30, 2022
Tweet
Google in the present day launched a brand new bug bounty program to reward safety researchers who uncover and report vulnerabilities within the firm’s open supply initiatives.
As a part of the brand new Open Supply Software program Vulnerability Rewards Program (OSS VRP), Google is providing bug bounty payouts of as much as $31,337. The bottom vulnerability reward can be $100.
Small bonus will increase – of roughly $1,000 – could also be awarded for “significantly intelligent or attention-grabbing vulnerabilities”.
Google has been working its VRP for nearly 12 years and has expanded it in time, to cowl Android, Chrome, Linux kernel, and different areas. To this point, the corporate has paid over $38 million in bug bounty rewards to the reporting researchers.
Targeted on open supply software program, the brand new program is supposed to deal with the dangers related to provide chain compromise.
“Final 12 months noticed a 650% year-over-year improve in assaults concentrating on the open supply provide chain, together with headliner incidents like Codecov and Log4Shell that confirmed the harmful potential of a single open supply vulnerability,” Google notes.
The web large considers all up-to-date software program out there within the public repositories of Google-owned GitHub organizations as being inside the scope of the OSS VRP. The third-party dependencies of those initiatives are additionally included, however researchers must ship prior notification to the dependency.
“Please ship your bug reviews on to the proprietor of the susceptible bundle first and be certain that the problem is addressed upstream earlier than letting us know of the problem particulars,” the corporate explains on the OSS VRP’s web page.
In-scope initiatives are grouped into three tiers, with rewards for vulnerabilities in flagship OSS initiatives – that are thought of significantly delicate – being considerably larger. The highest payouts can be supplied for flaws in Bazel, Angular, Golang, Protocol buffers, and Fuchsia.
The web large encourages researchers to concentrate on vulnerabilities main to produce chain compromise, on design points resulting in product flaws, and on safety points reminiscent of credential leaks, weak passwords, and insecure installations.
Associated: Google Paid Out $8.7 Million in Bug Bounty Rewards in 2021
Associated: Microsoft Paid $13.7 Million by way of Bug Bounty Packages Over Previous Yr
Associated: Google Open Sources ‘Paranoid’ Crypto Testing Library
Associated: Google Groups Up With GitHub for Provide Chain Safety
Get the Day by day Briefing
- Most Latest
- Most Learn
- Google Launches Bug Bounty Program for Open Supply Initiatives
- FBI Warns of Surge in Assaults Concentrating on DeFi Platforms
- Pwn2Own Gives $100,000 for Residence Workplace Hacking Situation
- Elon Musk Subpoenas Twitter Whistleblower Forward of Trial
- FTC Accuses Information Dealer of Promoting Delicate Location Information
- Okta Impersonation Approach Could possibly be Utilized by Attackers
- Galois Open Sources Instruments for Discovering Vulnerabilities in C, C++ Code
- Okta Says Buyer Information Compromised in Twilio Hack
- ‘Tape or Chewing Gum:’ Twitter’s Lapses Echo Worldwide
- Malicious Plugins Discovered on 25,000 WordPress Web sites: Examine
Searching for Malware in All of the Unsuitable Locations?
First Step For The Web’s subsequent 25 years: Including Safety to the DNS
Tattle Story: What Your Pc Says About You
Be in a Place to Act By means of Cyber Situational Consciousness
Report Exhibits Closely Regulated Industries Letting Social Networking Apps Run Rampant
2010, A Nice Yr To Be a Scammer.
Do not Let DNS be Your Single Level of Failure
The way to Determine Malware in a Blink
Defining and Debating Cyber Warfare
The 5 A’s that Make Cybercrime so Enticing
The way to Defend In opposition to DDoS Assaults
Safety Budgets Not in Line with Threats
Anycast – Three Causes Why Your DNS Community Ought to Use It
The Evolution of the Prolonged Enterprise: Safety Methods for Ahead Considering Organizations
Utilizing DNS Throughout the Prolonged Enterprise: It’s Dangerous Enterprise
