Google has launched a new open source software bug bounty with payouts ranging from $101 to $31,337 depending on the severity of the vulnerability. It will also offer rewards for information on flaws in third-party dependencies including the codebases of Google-backed projects.
The open source vulnerability rewards program (VRP) is an extension of the existing Google VRP launched nearly 12 years ago. Under the new system, the highest payouts will be going to researchers who find bugs in the most sensitive projects including Bazel, Angular, Golang, Protocol buffers and Fuchsia, with other rewards going to bugs that are “unusual or particularly interesting”.
Google has always invested in the open source community but has recently increased its involvement in a range of projects. A study released last month found that it had overtaken Microsoft as the largest contributor to learning open-source code repository GitHub.
Open source cloud infrastructure company Aiven examined the number of GitHub contributions from the likes of Google, Amazon and Microsoft, finding that Google alone had a 21% year-on-year rise in monthly commits, and overtook Microsoft with the most contributors.
In a blog post, Google security engineers Francis Perron and Kryzsztof Kotowicz said the company has been committed to supporting security researchers and bug hunters for more than a decade, with the original vulnerability rewards program approaching its 12th anniversary.
“Over time, our VRP lineup has expanded to include programs focused on Chrome, Android, and other areas. Collectively, these programs have rewarded more than 13,000 submissions, totalling over $38M paid,” the pair wrote.
Google bug bounty scheme targets open source supply chain
This new program is an addition to the existing VRP and is targeting the rising problem of supply chain compromises. Last year, there was a 650% increase in attacks targeting the open source supply chain including the Log4j vulnerability.
To focus efforts on discoveries that have the greatest impact on the supply chain, Google is looking for vulnerabilities that lead to supply chain compromise, design issues that can cause vulnerabilities in products and other security issues such as leaked credentials and insecure installations.
A study by ShiftLeft found that, while vulnerabilities in the open source supply chain were a growing issue, only about 3% of them were actually reachable by attackers. This suggests that if application security professionals work to focus on fixing and mitigating the "truly attackable", it could reduce the impact.
“If your submission is particularly unusual, we’ll reach out and work with you directly for triaging and response," ,” said Perron and Kotowicz. "In addition to a reward, you can receive public recognition for your contribution. You can also opt to donate your reward to charity at double the original amount."
If the bug doesn’t fit within the open source VRP, the team will route it to the relevant team and other areas of Google product bounty programs to see which will give the highest payout.
In the case of third-party dependencies, the researcher has to prove that the bug affects Google’s project and inform the owner of that project before informing Google. If it doesn’t affect Google’s project, it isn’t eligible for the bounty.
Finding open source bugs is 'vital'
“Through our existing bug bounty programs, we’ve rewarded bug hunters from over 84 countries and look forward to increasing that number through this new VRP," the Google engineers wrote. “The community has continuously surprised us with its creativity and determination, and we cannot wait to see what new bugs and discoveries you have in store. Together, we can help improve the security of the open source ecosystem.”
Matt Barker, CEO of Kubernetes service company Jetstack and an open source industry veteran, says Google including third party dependencies in the bug program is significant as it widens the net to of existing bug bounty programs to address issues seen in huge software supply chain attacks.
Finding vulnerabilities in open source projects is vital, he explains, particularly the large projects run by Google and other tech giant, as over 90% of applications use one or more of these components. This means that if a vulnerability does exist, it presents a single point of weakness across a wide range of projects, products and services.
"When the Log4J open source vulnerability was discovered, it’s suspected that almost half of the corporate networks globally were targeted by threat actors, which shows the scale of possible attacks on open source components," Barker said.
“The Google bug bounty will help to reduce vulnerabilities in open source solutions, but that will of course take time. So, for companies that are serious about continuing to use open source in a secure way, creating a zero trust security architecture is crucial."
Barker said that for these flaws to be identified it is crucial "that everyone is pulling in the same direction". He adds: "Collaboration between developer teams and security teams is vital to this, but there has been friction in the past as developers are under pressure to develop at speed, and security teams are under pressure to develop securely and audit components, which can be a painful process."
Tech Monitor is hosting a roundtable in association with Intel vPro on how to integrate security into operations. For more information, visit NSMG.live.