Google on Tuesday announced it’s launching a new bug bounty program that focuses specifically on open-source software.
The payouts will range from $100 to $31,337 depending on the severity of the security issue and project’s importance.
Google New Launch
The aim of the program is to combat a rising threat of supply chain attacks, Google says.
The launch highlights that a crowdsourced approach to security has the potential to mitigate vulnerabilities in widely used (but traditionally underfunded and under-maintained) open-source projects, and eliminate potential entry points into enterprise environments.
The release of the OSS VRP comes as anxiety over attacks on the software supply chain has reached an all-time high, following the discovery of zero-day vulnerabilities like Log4j and Log4Shell and monumental data breaches impacting providers including SolarWinds and Codecov.
This anxiety was well-founded, as threat actors were also actively looking to target vulnerabilities in the software supply chain, with attacks targeting the open-source software supply chain increasing 650% between 2020 and 2021.
When combined together, these factors have severely impacted confidence in the security of open-source software. Reasearch shows that 41% of organizations don’t have high confidence in their open-source software security.
Rewards will range from $100 to $31,337, depending on the severity of the vulnerability and the project’s importance. “The larger amounts will also go to unusual or particularly interesting vulnerabilities, so creativity is encouraged,” Google added in its blog post.
However, providers like Google are aiming to restore confidence in the software supply chain by financially incentivising researchers to identify and fix vulnerabilities.