At this time, we’re launching Google’s to reward discoveries of vulnerabilities in Google’s open supply initiatives. Because the maintainer of main initiatives equivalent to , , and , Google is among the many largest on the planet. With the addition of Google’s OSS VRP to our household of , researchers can now be rewarded for locating bugs that might doubtlessly impression your complete open supply ecosystem.
Google has been dedicated to supporting safety researchers and bug hunters for over a decade. The unique VRP program, established to compensate and thank those that assist make Google’s code safer, was one of many first on the planet and is now approaching its . Over time, our VRP lineup has to incorporate packages centered on Chrome, Android, and different areas. Collectively, these packages have rewarded greater than 13,000 submissions, totaling over $38M paid.
The addition of this new program addresses the ever extra prevalent actuality of rising provide chain compromises. Final 12 months noticed a in assaults concentrating on the open supply provide chain, together with headliner incidents like Codecov and the Log4j vulnerability that confirmed the damaging potential of a single open supply vulnerability. Google’s OSS VRP is a part of our , together with securing the provision chain in opposition to a majority of these assaults for each Google’s customers and open supply shoppers worldwide.
Google’s OSS VRP encourages researchers to report vulnerabilities with the best actual, and potential, impression on open supply software program underneath the Google portfolio. This system focuses on:
All up-to-date variations of open supply software program (together with repository settings) saved within the public repositories of Google-owned GitHub organizations (eg. , , , …).
The highest awards will go to vulnerabilities present in probably the most delicate initiatives: , , , , and . After the preliminary rollout we plan to broaden this record. Remember to test again to see what’s been added.
To focus efforts on discoveries which have the best impression on the provision chain, we welcome submissions of:
Vulnerabilities that result in provide chain compromise
Design points that trigger product vulnerabilities
Different safety points equivalent to delicate or leaked credentials, weak passwords, or insecure installations
Relying on the severity of the vulnerability and the venture’s significance, rewards will vary from $100 to $31,337. The larger quantities will even go to uncommon or notably fascinating vulnerabilities, so creativity is inspired.
Earlier than you begin, please see the for extra details about out-of-scope initiatives and vulnerabilities, then get hacking and tell us what you discover. In case your submission is specificly uncommon, we’ll attain out and work with you instantly for triaging and response. Along with a reward, you possibly can obtain public recognition in your contribution. You can even decide to donate your reward to charity at double the unique quantity.
Undecided whether or not a bug you’ve discovered is correct for Google’s OSS VRP? Don’t fear, if wanted, we’ll route your submission to a distinct VRP that gives you the best doable payout. We additionally encourage you to take a look at our , which rewards safety enhancements to Google’s open supply initiatives (for instance, as much as $20K for ).
Google is proud to each help and be part of the open supply software program group. By means of our present bug bounty packages, we’ve rewarded bug hunters from over 84 international locations and sit up for rising that quantity by this new VRP. The group has constantly shocked us with its creativity and willpower, and we can not wait to see what new bugs and discoveries you might have in retailer. Collectively, we may also help enhance the safety of the open supply ecosystem.
Give it a attempt, and blissful bug searching!