Menu

Google has launched a new program of rewards for finding vulnerabilities: there are several rules

Google has introduced a new reward program for finding software vulnerabilities. The company promises to pay from 1 101 to more than 3 31 thousand for information about errors in Angular, GoLang and Fuchsia projects or for vulnerabilities in third-party dependencies that are included in the codebases of these projects. For those researchers who are not motivated by money, Google offers to transfer the award to charity. In this case, the amount will be doubled.

According to Google's rules, payments for the Open Source software Vulnerability Rewards Program (OSS VRP) will depend on the severity of the error, as well as the importance of the project in which it was detected. The highest awards will be given to researchers who have identified vulnerabilities in the most sensitive projects: Bazel, Angular, Golang, protocol buffers and Fuchsia. Subsequently, the list is planned to be expanded.

There are also additional rules regarding bonuses for supply chain vulnerabilities. Researchers will need to notify who is actually responsible for a third-party project before notifying Google. They must also prove that the problem affects the Google Project. If there is an error in a part of the library that the company does not use, it will not be eligible to participate in the program.

Depending on the severity of the vulnerability and the importance of the project, the reward will be from 1 101 to 3 31,337. large amounts are promised to be paid for unusual or particularly interesting vulnerabilities, so creativity is encouraged.

Researchers are advised to focus on finding design issues that cause product vulnerabilities, credential leaks, weak passwords, and more.

The Verge writes that the most interesting thing about this program is the emphasis on third-party dependencies. Programmers often use code from open source projects so that they don't have to invent something that they've been inventing for a long time. But developers often directly import this code, as well as any updates to it, this creates the possibility of attacks on the supply chain. This is when hackers do not target code that is directly controlled by Google, but instead pursue third-party dependencies.

In 2021, the number of attacks targeting the open source supply chain increased by 650% compared to last year, Google says. We are talking, in particular, about such incidents as Codecov and the Log4j vulnerability, which showed the destructive potential of one open source vulnerability.