Skip links

Find a security hole in Google’s open source and you could bag a $31,337 reward

Google has created a bug bounty program that will reward those who find and report vulnerabilities in its open-source projects, thereby hopefully strengthening software supply-chain security.

The Open Source Software Vulnerability Rewards Program (OSS VRP) will pay bug hunters between $100 and $31,337 (eleet, elite … geddit?), with the highest payments going to “unusual or particularly interesting vulnerabilities,” according to Googlers Francis Perron, open source security technical program manager, and infosec engineer Krzysztof Kotowicz.

Additionally, big payouts will go to researchers who find and report vulnerabilities in the “most sensitive” of the Google-maintained open-source projects: Bazel, Angular, Golang, Protocol Buffers, and Fuchsia

These projects are used in several of the web titan’s products: for example, the Google-designed Go programming language is used heavily in analytics to container environments, while its Fuchsia OS powers smart-home devices, including Alphabet-owned Nest.

After 2021, which proved a banner year for supply chain and open-source software attacks, Google’s latest VPR seeks ethical hackers to home in on security holes that can lead to supply chain compromise and design issues that cause product vulnerabilities, as well as leaked credentials, weak passwords, and insecure installations. 

“Last year saw a 650% year-over-year increase in attacks targeting the open source supply chain, including headliner incidents like Codecov and the Log4j vulnerability that showed the destructive potential of a single open source vulnerability,” Perron and Kotowicz wrote

“Google’s OSS VRP is part of our $10b commitment to improving cybersecurity, including securing the supply chain against these types of attacks for both Google’s users and open source consumers worldwide,” they added.

Google’s now 12-year-old original VRP has expanded over the years and added bug bounties focused on Chrome, Android and other products and projects. Earlier this month, Google’s Kubernetes-based capture-the-flag project, which pays researchers to exploit bugs in the Linux kernel, permanently increased its payouts to a maximum reward of $133,337.

In total, Google paid out $8.7 million in rewards to almost 700 researchers across its various VPRs last year.

The move is also part of a broader effort by private software companies as well as the federal government to improve supply chain and open-source security.

In May, following a White House meeting, Google and a handful of other big tech companies announced a $30-million-plus commitment to implement a plan to improve open-source and software supply chain security.  Shortly after that, Google announced a service called Assured Open Source Software that attempts to make it easier for enterprises to secure their open-source software dependencies.

While well-run bug bounties are always welcome, the relatively parsimonious payouts Google is offering look somewhat cheap against the cash on offer by other companies and competitors, not to mention private buyers looking for really good vulnerabilities. ®