Google is starting a new bug bounty program for its own open source software. The company is adding projects such as Golang and Angular programming languages to its existing self-managed bug bounty program. External software also falls within the scope.
google writes that it hosts all of its public repos as a separate part of the Vulnerability Rewards Program. That’s Google’s own bug bounty program. VRP is divided into different parts, such as a program for apps in the Play Store, but also a separate program for third-party apps. Now the Google OSS program is also added. The company calls the scope no specific list, but the company says that “all public repositories in Google’s GitHub organizations and certain repositories in other platforms” fall within that scope.
Google does mention a number of projects whose impact is greater than others. There is also a much higher reward for this. It concerns Basel, Angular, Golang, Fuschia and structure platform Protocol Buffers. Those projects fall within the highest tier of rewards. They yield between 500 and 31,137 dollars. The latter applies to a bug that can attack other products in a development chain. There is also a tier for standard projects, where the rewards range from 101 to 13,137 dollars. The lowest tier is for bugs in repos that are no longer tracked or are very small. Google does not give a reward for that.
In particular, Google wants researchers to focus on apps that can affect the supply chain. These must be bugs that allow the source code of software to be modified in the main branch of a repo, or where cryptographic keys can be stolen, for example.
It is striking that the new bug bounty program offers the possibility to submit vulnerabilities in third-party dependencies. In addition, Google says that researchers should first address the original developers of that software.
|Supply Chain Vulnerabilities||$3,133.7 – $31,337||$1,337 – $13,337|
|Product Vulnerabilities||$500 – $7,500||$101 – $3,133.7||–|