In 2010, Google introduced the Vulnerability Reward Program (VRP). As the name implies, it encourages security researchers and professionals to find security flaws and exploits and then disclose them in confidence to the vendor. These defects would then be rectified by the business after being reported, and the person who discovered the problem would be granted a cash reward. Google has been working to broaden the platform’s reach and consolidate it over the last few years. The business has today disclosed yet another growth, this time in the area of open source software (OSS).
With projects like Golang, Angular, and Fuchsia under its wing, Google has underlined that it is one of the largest donors and maintainers of OSS and that it is aware of the need to secure this area. As a result, its OSS VRP programme is made to promote consistent effort on this front as well. Any OSS code that is part of Google’s portfolio is the target of OSS VRP. This includes any OSS dependencies that are maintained by other vendors in addition to the projects that it manages. The following definitions apply to the two OSS categories covered by this VRP:
- All current open source software (including repository settings) is kept in the open repositories of GitHub organisations controlled by Google.
- The third-party dependencies of such projects (before submission to Google’s OSS VRP, notice of the affected dependence is required).
Google is currently accepting reports for supply chain compromise, design flaws, and basic security concerns including weakened or compromised credentials or unsecured deployments. The greater barrier targets more delicate projects like Bazel, Angular, Golang, Protocol buffers, and Fuchsia. Reward levels start at $100 and rise to $31,337.
Google aspires to increase OSS security through this community-driven collaborative endeavour. The programme is a part of the $10 billion cybersecurity investment that Google unveiled a year ago during a meeting with American President Joe Biden. In order to identify malicious open source packages, Google pledged support for the Open Source Security Foundation’s (OpenSSF) Package Analysis Project back in April.