Google has announced a new bug bounty program dedicated to open source software.According to the introduction, the open source softwareBug Bounty Program (OSS VRP) focuses on Google software and repository settings (such as GitHub actions, application configuration, and access control rules) for software available in Google-owned GitHub organizations’ public repositories and some repositories on other platforms.

“The addition of this new program comes in response to the reality of an increasingly common supply chain attack.Last year, attacks on open source supply chainsA 650% year-over-year increase, including headlines like Codecov and Log4j vulnerabilities, shows the devastating potential of a single open source vulnerability. Google’s OSS VRP is part of our $10B commitment to improve cybersecurity,Including protecting the supply chain from such attacks by Google users and open source consumers around the world.“

Through the program, Google will provide $100 to relevant vulnerability disclosure researchers to 31,337 The dollar bounty varies, depending on the severity of the vulnerabilities discovered. For particularly interesting bugs, Google says it may also add a small bonus of around $1,000.

Security vulnerabilities in Google OSS third-party dependencies are also covered by this bounty program, but only if a bug report is sent to the owner of the vulnerable package; these issues will therefore be is resolved upstream.

A commit detailing a vulnerability via 3rd-party dependencies should:

• Prove that the vulnerability manifests in our project (ie you must prove that a third-party vulnerability can be triggered or exploited in Google OSS).
• Share no earlier than 30 days after upstream fixes (eg, release patch packages).

Google revealed that the top prize will be awarded to the vulnerabilities found in the most sensitive projects: Bazel, Angular, Golang, Protocol buffers and Fuchsia. And after the initial launch, the company also plans to expand this list.Google encouragesFocus on vulnerabilities that can lead to compromised supply chains, design issues that lead to product vulnerabilities, and security issues such as compromised credentials, weak passwords, or insecure installations.

For those not interested in money, Google will offer the option to donate the winnings to well-known charities in its name. “If you do, we will double your donation at our discretion. Any awards not claimed after 12 months will be donated to a charity of our choice.”