Google will now pay security researchers to find and report bugs in the latest versions of Google-released open-source software (Google OSS).
The company’s newly announced Vulnerability Reward Program (VRP) focuses on Google software and repository settings (like GitHub actions, application configurations, and access control rules).
It applies to software available on public repositories of Google-owned GitHub organizations as well as some repositories from other platforms.
Security vulnerabilities in Google OSS third-party dependencies are in scope for this program, with the condition that the bug reports are first sent to the owners of the vulnerable packages, so the issues are addressed upstream before informing Google of the findings.
“The top awards will go to vulnerabilities found in the most sensitive projects: Bazel, Angular, Golang, Protocol buffers, and Fuchsia,” Google said today.
Google’s OSS VRP focal point is security flaws that would have the most significant impact on the software supply chain.
Therefore, the company encourages bug bounty hunters to focus on vulnerabilities that could lead to supply chain compromise, design issues causing product vulnerabilities, and security issues like leaked credentials, weak passwords, or insecure installations.
Based on the severity level of the reported flaws and the project’s importance, the final rewards range from $100 to $31,337.
The larger reward amounts will go to particularly interesting and unusual security vulnerabilities, with small bonuses of up to $1,000 also applying to the most interesting and clever bugs.
Category
Flagship OSS projects
Standard OSS projects
Supply chain compromises
$3,133.7 – $31,337
$1,337 – $13,337
Product vulnerabilities
$500 – $7,500
$101 – $3,133.7
Other security issues
$1,000
$500
“Before you start, please see the program rules for more information about out-of-scope projects and vulnerabilities, then get hacking and let us know what you find. If your submission is particularly unusual, we’ll reach out and work with you directly for triaging and response,” Google said.
“In addition to a reward, you can receive public recognition for your contribution. You can also opt to donate your reward to charity at double the original amount.”
In February, Google also almost doubled rewards for Linux Kernel, Kubernetes, Google Kubernetes Engine (GKE), or kCTF zero-day vulnerabilities and bug exploits using unique exploitation techniques.
Two months later, in April, the company announced that Android 13 Beta bugs reported through its VRP will get a 50% bonus on top of the standard reward until May 26th, 2022, with a maximum payout of $1.5 million for full remote code execution exploit chain on the Titan M used in Pixel Phones running Android 13 Beta builds.
Since launching its first VRP in 2010, Google has rewarded over $38 million to thousands of security researchers from over 84 countries for reporting more than 13,000 bugs.
In 2021 it awarded a record-breaking $8,700,000, including a $157,000 payout for an Android exploit chain, the highest in Android VRP history.
