Google debuts open source bug bounty programme

Google has added a strand to its stable of vulnerability rewards programmes (VRPs) with the launch of a dedicated open source software (OSS) track that will reward hackers who disclose bugs in Google’s open source projects.

Its existing VRP programmes date back to 2010 and have collectively rewarded over 13,000 submissions with pay-outs of more than $38m (£33m) covering multiple products, including the Android mobile operating system (OS) and Chrome web browser.

Google maintains multiple OSS projects including web development platform Angular, operating system Fuchsia, and programming language Golang. The launch of its OSS VRP is a significant moment for the search giant, reflecting a growing number of OSS vulnerabilities uncovered in recent times, which provide gateways for threat actors into multiple potential victims.

High-impact supply chain attacks enabled by OSS vulnerabilities include the April 2021 compromise of code auditing service Codecov, and Log4Shell, the consequences of which continue to echo around the world nine months on.

“Google is proud to both support and be a part of the open source software community. Through our existing bug bounty programs, we’ve rewarded bug hunters from over 84 countries and look forward to increasing that number through this new VRP,” wrote Google’s open source security technical programme manager Francis Perron, and information security engineer Krzysztof Kotowicz.

“The community has continuously surprised us with its creativity and determination, and we cannot wait to see what new bugs and discoveries you have in store. Together, we can help improve the security of the open source ecosystem.”

The programme has been designed to encourage researchers to disclose vulnerabilities that have the greatest potential, or actual real-world impacts. It will cover all up-to-date OSS versions stored in the public repositories of Google-owned GitHub organisations. Also in scope are those projects’ third-party dependencies, although notification to the affected dependency will be required pre-submission to Google.

Besides Angular, Fuchsia and Golang, the initial rollout will focus on two other particularly sensitive projects – Bazel, a build-and-test platform; and Protocol Buffers, a mechanism for serialising structured data – all of which will receive the top awards, potentially as high as $31,000. Google said it was likely to expand this list in future.

Perron and Kotowicz said they were particularly keen to hear about vulnerabilities that could lead to supply chain compromise, design issues that could cause product vulnerabilities, and issues such as sensitive or leaked credentials, weak passwords, or insecure installations.

Hackers who are interested in getting started on the new OSS VRP programme are encouraged to check out the programme’s rules, which are set out in detail here.

More widely, the OSS VRP forms part of a $10bn spending commitment made by Google in August 2021 at a gathering of some of the largest tech companies in the world, including Amazon, Apple, IBM and Microsoft, which came together at a White House summit to support president Biden’s cyber security action plan.

Besides OSS security Google is also investing in zero-trust and supply chain security, and plans to help more than a hundred thousand people gain access to industry-recognised digital skills certifications.