Google invites bug hunters to scrutinize its open source projects

Google wants to improve the security of its open source projects and those projects’ third-party dependencies by offering rewards for bugs found in them.

“Depending on the severity of the vulnerability and the project’s importance, rewards will range from $100 to $31,337. The larger amounts will also go to unusual or particularly interesting vulnerabilities, so creativity is encouraged,” Googlers Francis Perron and Krzysztof Kotowicz explained.

Google offers rewards for bugs in its open source software

Google’s Open Source Software Vulnerability Reward Program (OSS VRP) covers:

• The latest versions of open source software stored in the public repositories of Google-owned GitHub organizations, and selected repositories hosted on other platforms
• Repository configuration settings (e.g., GitHub actions, access control rules, GitHub application configurations)
• Vulnerabilities in third-party dependencies (if they can be triggered or exploited in Google open source projects)

“First and foremost, we welcome submissions pointing out vulnerabilities affecting source or build integrity that could result in a supply chain compromise. Supply chain vulnerabilities include the ability to compromise Google OSS source code, and build artifacts or packages distributed via package managers to users,” Google notes.

They also want to be alerted to design or implementation issues in Google OSS that causes a product vulnerability (e.g., memory corruption issues in file format parsers or network protocol implementations, failures in the sanitizer functions, path traversal issues, etc.)

Finally, they would like to known about various issues that could affect the security of the target projects, such as sensitive credentials stored in personal projects, insecure installation / software usage instructions, credential leaks in publicly stored backups, and so on.

The rewards will be higher for vulnerabilities reported in a number of Google flagship OSS projects such as:

• Bazel (a tool for automating the building and testing of software)
• Angular (web application framework)
• Go(lang) programming language
• Protocol Buffers (data format for serializing structured data)
• Fuchsia OS

In time, other projects will be added to this tier, Google says, and notes that vulnerabilities leading to supply chain compromise could be rewarded with a bounty that may reach $31,337.

Bounties for bugs in standard OSS projects will be much lower, and there are no rewards for bugs in low-priority OSS projects (e.g., projects with small community impact, no executable code, etc.).

Improving supply chain security

“The addition of this new program addresses the ever more prevalent reality of rising supply chain compromises,” Perron and Kotowicz added.

“Last year saw a 650% year-over-year increase in attacks targeting the open source supply chain, including headliner incidents like Codecov and the Log4j vulnerability that showed the destructive potential of a single open source vulnerability. Google’s OSS VRP is part of our $10B commitment to improving cybersecurity, including securing the supply chain against these types of attacks for both Google’s users and open source consumers worldwide.”

Aspiring bug hunters are advised to check out the OSS VRP rules for specifics.