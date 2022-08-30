Google will now pay security researchers who find and report bugs in the latest versions of Google’s open source software (Google OSS). This will be done through the Vulnerability Reward Program (VRP) that the company has announced.

This program focuses on Google software and repositories setup. For example, in software available in public repositories on GitHub that are owned by Google, as well as in some repositories on other platforms.

Of course, to get the money from the payment that the one in Mountain View offers, the error reports will have to be sent first to owners of vulnerable packagesso that issues are addressed on their own, before reporting findings to Google.

“The most important prizes will go to the vulnerabilities found in the most sensitive projects: Bazel, Angular, Golang, Protocol buffers and Fuchsia,” Google said today.

Importance of failures in the supply chain

The heart of the Google OSS Vulnerability Bounty Program are the security flaws that would have the most significant impact on the chain software supply.

Specifically, the company encourages researchers to focus on vulnerabilities that could compromise the supply chain, design issues that cause product vulnerabilities, and security issues such as credential leaksweak passwords or insecure installations.

When we talk about supply chain attacks, attackers compromise the security of a third party and thereby manage to infiltrate the systems that use their services.

Depending on the severity level of reported bugs and the importance of the project, final rewards range from $100 to $31,337.

According to Google, “in addition to a reward, you can receive public recognition for your contribution. You can also choose to donate your reward to a charity for double the original amount.”