Google has recently (as of August 31) introduced a bug bounty program dedicated to open source projects in hopes of securing its ecosystem from supply chain attacks. The Google program is called Open Source Software Vulnerability Reward Program (OSS VRP) and it will pay out anywhere from $100 to $31,337. Of course, larger amounts will be rewarded for unique and very interesting vulnerabilities.
Google will be accepting submissions on vulnerabilities that have the greatest impact on the supply chain such:
While this bug bounty program mostly focuses on all up-to-date versions of open source software stored in public repositories of Google-owned Github and projects’ 3rd party dependencies; the top awards will go to vulnerabilities that are found in the following most sensitive projects: Bazel, Angular, Golang, Protocol buffers, and Fuchsia.
Now you may be asking yourself, how can I get involved?
Well, first thing like all other bug bounty programs there are some house rules such as reviewing Google’s program rules listing the out-of-scope projects and vulnerabilities. Once you’ve read that you can get started and let the creativity flow.
Let us know what your thoughts are on this bug bounty program, will you be interested in participating?