Announcing Google’s Open Source Software Vulnerability Rewards Program

Posted on


At present we’re launching Google’s Open Supply Software program Vulnerability Reward Program (OSS VRP) to reward vulnerability discoveries in Google’s open supply initiatives. As a maintainer of huge initiatives akin to Golang, AngularY FuchsiaGoogle is without doubt one of the largest open supply contributors and customers on the earth. With the addition of Google’s OSS VRP to our household of Vulnerability Reward Packages (VRP)researchers can now be rewarded for locating bugs that would probably have an effect on the complete open supply ecosystem.

Google has been dedicated to supporting safety researchers and bug hunters for greater than a decade. The unique VRP program, established to compensate and thank those that assist make Google’s code safer, was one of many first on the earth and is now nearing its finish. twelfth anniversary. Over time, our VRP line has expanded to incorporate applications centered on Chrome, Android and different areas. Collectively, these applications have rewarded greater than 13,000 submissions, with a complete payout of greater than $38 million.

The addition of this new program addresses the more and more prevalent actuality of rising provide chain compromises. Final 12 months we noticed a 650% improve 12 months over 12 months in assaults focusing on the open supply provide chain, together with high-profile incidents like Codecov and the Log4j vulnerability that confirmed the harmful potential of a single open supply vulnerability. Google’s OSS VRP is a part of our $10 billion dedication to enhance cybersecuritytogether with provide chain safety in opposition to a lot of these assaults for each Google customers and open supply shoppers around the globe.


Google’s OSS VRP encourages researchers to report vulnerabilities with the best precise and potential impression on open supply software program in Google’s portfolio. This system focuses on:


  • All up to date variations of open supply software program (together with repository settings) saved within the public repositories of Google-owned GitHub organizations (eg. Google, Google APIs, Google Cloud Platform…).


The principle prizes might be awarded to the vulnerabilities present in probably the most delicate initiatives: bazel, Angular, Golang, Protocol buffersY Fuchsia. After the preliminary launch, we plan to broaden this checklist. Make sure to examine again to see what has been added.


To focus efforts on discoveries which have the best impression on the availability chain, we welcome submissions from:


  • Vulnerabilities Resulting in Provide Chain Compromise

  • Design points inflicting product vulnerabilities

  • Different safety points, akin to delicate or leaked credentials, weak passwords, or insecure installations

Relying on the severity of the vulnerability and the significance of the undertaking, the rewards will fluctuate from $100 to $31,337. heBigger quantities may even go in direction of uncommon or significantly attention-grabbing vulnerabilities, so creativity is inspired.

Earlier than you start, examine the program guidelines to study extra about out-of-scope initiatives and vulnerabilities, then begin hacking and tell us what you discover. In case your cargo is non-publicvery uncommon, we’ll contact you and work instantly with you for classification and response. Along with a reward, you may obtain public recognition to your content material.Tribute It’s also possible to select to donate your reward to a charity for double the unique quantity.

Undecided if a bug you’ve got encountered is appropriate for Google’s OSS VRP? Don’t fret, if vital, we’ll route your cargo to a unique VRP that provides you with the best payout potential. We additionally encourage you to take a look at our Patch rewards programthat rewards safety enhancements in Google’s open supply initiatives (for instance, as much as $20,000 per fuzzing integrations in OSS-Fuzz).

Google is proud to assist and be part of the open supply software program neighborhood. By way of our present bug bounty applications, we have now rewarded bug hunters from over 84 international locations and hope to extend that quantity via this new VRP. The neighborhood has regularly amazed us with their creativity and dedication, and we will not wait to see what new bugs and discoveries they’ve in retailer. Collectively, we may help enhance the safety of the open supply ecosystem.

Give it a attempt to joyful bug searching!

Announcing Google’s Open Source Software Vulnerability Rewards Program