Google has announced a new bug bounty program called the Open Source Software Vulnerability Rewards Program (OSS VRP), which will pay security researchers for finding flaws in Google's open source projects.
Google is one of the world's largest open source contributors, as it maintains big time projects such as Golang, Angular, and Fuchsia. Google plans to pay out rewards ranging from $100 to $31,337 depending on the severity of the vulnerability and the project's importance.
Securing open source code has become a major topic of discussion within the cybersecurity community, as attacks targeting the open source supply chain increased 650% year-over-year, Google says.
The Log4j vulnerability, along with some others this last year, highlighted how a single vulnerability can be destructive to an entire supply chain. It is because of instances like Log4j that Google has implemented its OSS VRP.
The OSS VRP can certainly be a huge help to open source as a whole. Google's original reward program, which has been around for almost 12 years, has rewarded 13,000 submissions with payouts totaling over $38 million. If its new open source program gets the same kind of reception, vulnerabilities like Log4j could become few and far between.
How does Google's open source reward program work?
Google says its OSS VRP encourages security researchers to report vulnerabilities with the highest real and potential impact to open source software under the Google portfolio. This includes:
All up-to-date versions of open source software (including repository settings) stored in the public repositories of Google-owned GitHub organizations (eg. Google, GoogleAPIs, GoogleCloudPlatform…).
Those projects' third-party dependencies (with prior notification to the affected dependency required before submission to Google's OSS VRP).
For those looking to earn in the upper echelon of the reward program, Google suggests looking for vulnerabilities in the most sensitive projects, namely Bazel, Angular, Golang, Protocol buffers, and Fuchsia.
For researchers looking to find vulnerabilities that could greatly affect the supply chain (and still pay well), it asks for submissions of:
Vulnerabilities that lead to supply chain compromise
Design issues that cause product vulnerabilities
Other security issues such as sensitive or leaked credentials, weak passwords, or insecure installations
Google has provided detailed information on the reward program's rules, which you can find here.
Google also left this message for the open source community:
"Google is proud to both support and be a part of the open source software community. Through our existing bug bounty programs, we’ve rewarded bug hunters from over 84 countries and look forward to increasing that number through this new VRP. The community has continuously surprised us with its creativity and determination, and we cannot wait to see what new bugs and discoveries you have in store. Together, we can help improve the security of the open source ecosystem. Give it a try, and happy bug hunting!"
Google's bug bounty can help open source supply chain attacks
Many who work in cybersecurity seem to believe that this reward program can help defend against supply chain attacks, which can have devastating consequences.
Some security leaders have shared their opinions with SecureWorld News. Dave Gerry, Chief Operating Officer at Bugcrowd, shared his thoughts on the new program:
"Securing open-source software and the broader software supply chain remain a top concern for security organizations globally. By leveraging the human-intelligence of the researcher community, Google is showing that they are committed to ensuring their open-source projects are secure. This represents a great step being taken by a leader in OSS to ensure they are providing secure OSS components."
Casey Bisson, Head of Product and Development Enablement at BluBracket, said:
"The world's software is largely built on open source. As the steward of a number of open source projects, Google's bounty program is a necessary response to the growing risk of software supply chain attacks.
Google has open sourced a number of projects as a way to expand its ecosystem and influence. Now, offering security bounties for those projects brings them a similar level of protection that Google offers for its *aaS offerings.
Companies of all types should consider offering security bounties for the systems they depend on. People probing security vulnerabilities are looking to get paid, so offering a bounty to the person who discovers it can help uncover risks that might otherwise get sold to bad actors who might use the vulnerability for escalated attacks including ransomware, source code and secrets, extraction of customer and employee records, and further attacks against adjacent systems and partners."
What kind of impact do you think Google's open source vulnerability program will have? Leave your thoughts in the comments below.