View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
August 31, 2022updated 01 Sep 2022 4:38am

Google launches new open source bug bounty

The tech giant says bugs found in projects including Golang, Bazel and Angular will command the biggest payouts.

By Ryan Morrison

Google has launched a new open source software bug bounty with payouts ranging from $101 to $31,337 depending on the severity of the vulnerability. It will also offer rewards for information on flaws in third-party dependencies including the codebases of Google-backed projects.

Google says it will provide the highest payouts for bugs in the most high profile projects (Photo: photovibes/iStock)
Google says it will provide the highest payouts for bugs in the most high profile projects (Photo by photovibes/iStock)

The open source vulnerability rewards program (VRP) is an extension of the existing Google VRP launched nearly 12 years ago. Under the new system, the highest payouts will be going to researchers who find bugs in the most sensitive projects including Bazel, Angular, Golang, Protocol buffers and Fuchsia, with other rewards going to bugs that are “unusual or particularly interesting”.

Google has always invested in the open source community but has recently increased its involvement in a range of projects. A study released last month found that it had overtaken Microsoft as the largest contributor to learning open-source code repository GitHub.

Open source cloud infrastructure company Aiven examined the number of GitHub contributions from the likes of Google, Amazon and Microsoft, finding that Google alone had a 21% year-on-year rise in monthly commits, and overtook Microsoft with the most contributors.

In a blog post, Google security engineers Francis Perron and Kryzsztof Kotowicz said the company has been committed to supporting security researchers and bug hunters for more than a decade, with the original vulnerability rewards program approaching its 12th anniversary.

“Over time, our VRP lineup has expanded to include programs focused on Chrome, Android, and other areas. Collectively, these programs have rewarded more than 13,000 submissions, totalling over $38M paid,” the pair wrote.

Google bug bounty scheme targets open source supply chain

This new program is an addition to the existing VRP and is targeting the rising problem of supply chain compromises. Last year, there was a 650% increase in attacks targeting the open source supply chain including the Log4j vulnerability.

Content from our partners
How businesses can safeguard themselves on the cyber frontline
How hackers’ tactics are evolving in an increasingly complex landscape
Green for go: Transforming trade in the UK

Log4j is a JavaScript vulnerability present in millions of systems that was uncovered last year and created the perfect conditions for ransomware groups to strike. The zero-day vulnerability, known as Log4Shell, is caused by a problem in Apache’s Log4J logging library and allows threat groups to launch remote code attacks against affected systems.

To focus efforts on discoveries that have the greatest impact on the supply chain, Google is looking for vulnerabilities that lead to supply chain compromise, design issues that can cause vulnerabilities in products and other security issues such as leaked credentials and insecure installations.

A study by ShiftLeft found that, while vulnerabilities in the open source supply chain were a growing issue, only about 3% of them were actually reachable by attackers. This suggests that if application security professionals work to focus on fixing and mitigating the "truly attackable", it could reduce the impact.

“If your submission is particularly unusual, we’ll reach out and work with you directly for triaging and response," ,” said Perron and Kotowicz. "In addition to a reward, you can receive public recognition for your contribution. You can also opt to donate your reward to charity at double the original amount."

If the bug doesn’t fit within the open source VRP, the team will route it to the relevant team and other areas of Google product bounty programs to see which will give the highest payout.

In the case of third-party dependencies, the researcher has to prove that the bug affects Google’s project and inform the owner of that project before informing Google. If it doesn’t affect Google’s project, it isn’t eligible for the bounty.

Finding open source bugs is 'vital'

“Through our existing bug bounty programs, we’ve rewarded bug hunters from over 84 countries and look forward to increasing that number through this new VRP," the Google engineers wrote. “The community has continuously surprised us with its creativity and determination, and we cannot wait to see what new bugs and discoveries you have in store. Together, we can help improve the security of the open source ecosystem.”

Matt Barker, CEO of Kubernetes service company Jetstack and an open source industry veteran, says Google including third party dependencies in the bug program is significant as it widens the net to of existing bug bounty programs to address issues seen in huge software supply chain attacks.

Finding vulnerabilities in open source projects is vital, he explains, particularly the large projects run by Google and other tech giant, as over 90% of applications use one or more of these components. This means that if a vulnerability does exist, it presents a single point of weakness across a wide range of projects, products and services.

"When the Log4J open source vulnerability was discovered, it’s suspected that almost half of the corporate networks globally were targeted by threat actors, which shows the scale of possible attacks on open source components," Barker said.

“The Google bug bounty will help to reduce vulnerabilities in open source solutions, but that will of course take time. So, for companies that are serious about continuing to use open source in a secure way, creating a zero trust security architecture is crucial."

Barker said that for these flaws to be identified it is crucial "that everyone is pulling in the same direction". He adds: "Collaboration between developer teams and security teams is vital to this, but there has been friction in the past as developers are under pressure to develop at speed, and security teams are under pressure to develop securely and audit components, which can be a painful process."

Tech Monitor is hosting a roundtable in association with Intel vPro on how to integrate security into operations. For more information, visit NSMG.live.

Read more: Ten-point plan to boost open-source security revealed

Topics in this article : ,
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU