Google announced on Tuesday that it will pay security researchers to find and report bugs in the latest versions of Google-released open-source software (Google OSS).
The tech giant’s newly launched Vulnerability Reward Program (VRP) primarily focuses on Google software and repository settings (including GitHub actions, application configurations, and access control rules).
This program applies to software available on public repositories of Google-owned GitHub organizations along with some repositories from other platforms.
Security vulnerabilities in Google OSS third-party dependencies are also in focus for this program, under the condition that the bug reports are sent to the owners of the vulnerable packages first. This way, the issues are already addressed before informing Google of the findings.
“The top awards will go to vulnerabilities found in the most sensitive projects: Bazel, Angular, Golang, Protocol buffers, and Fuchsia,” Google said in its statement on Tuesday.
Google’s OSS VRP puts most of its emphasis on security flaws that would have the most significant impact on the software supply chain.
As a result, the company encourages bug bounty hunters to focus on vulnerabilities that could lead to supply chain compromise, design issues causing product vulnerabilities, and security issues. These issues could include leaked login credentials, weak passwords, or insecure installations.
Depending on the severity level of the vulnerabilities and the project’s importance, the final rewards range from $100 to $31,337 in total.
“Before you start, please see the program rules for more information about out-of-scope projects and vulnerabilities, then get hacking and let us know what you find. If your submission is particularly unusual, we’ll reach out and work with you directly for triaging and response,” Google said in its statement.
“In addition to a reward, you can receive public recognition for your contribution. You can also opt to donate your reward to charity at double the original amount,” the tech giant added.