Google debuts open source bug bounty program

Google debuts open source bug bounty program

Google has added a strand to its stable vulnerability reward program (VRPs) with a dedicated launch Open Source Software (OSS) Track It will reward hackers who disclose bugs in Google’s open source projects.

Its existing VRP programs date back to 2010 and cover multiple products, including the Android mobile operating system (OS) and the Chrome web browser, with payouts in excess of $38m (£33m) and a cumulative total of more than 13,000 submissions.

Google maintains multiple OSS projects including the Web Development Platform angularoperating system fuchsiaand programming languages golong. The launch of its OSS VRP is a significant moment for the search giant, reflecting the growing number of OSS vulnerabilities uncovered in recent times, which provide gateways to multiple potential victims for threat actors.

Includes high-impact supply chain attacks enabled by OSS vulnerabilities April 2021 Compromise of code auditing service CodeCove, and Log4ShellThe consequences reverberated around the world for nine months.

“Google is proud to both support and be a part of the open source software community Through our existing bug bounty programs, we’ve rewarded bug hunters from more than 84 countries and look forward to increasing that number with this new VRP,” wrote Google’s Open Source Security Technical Program Manager Francis Peron and Information Security Engineer Krzysztof Kotowicz. .

“The community continues to amaze us with its creativity and determination, and we can’t wait to see what new bugs and discoveries you have in store. Together, we can help improve the security of the open source ecosystem.”

The program is designed to encourage researchers to disclose vulnerabilities that have the most potential, or actual, real-world impact. It will cover all up-to-date OSS versions stored in public repositories of Google-owned GitHub organizations. Third-party dependencies of these projects are also in scope, although notification of affected dependencies must be pre-submitted to Google.

Apart from Angular, Fuchsia and Golong, the initial rollout will focus on two particularly sensitive projects – it’s time, a build and test platform; And protocol buffer, a process for serializing structured data – all of which will receive the top prize, a possible maximum of $31,000. Google said that this list is likely to expand in the future.

Perron and Kotovich said they are especially interested in hearing about vulnerabilities that lead to supply chain compromises, design issues that could lead to product vulnerabilities, and issues such as sensitive or leaked credentials, weak passwords or insecure installations.

Hackers interested in starting a new OSS VRP program are encouraged to check the program rules, Which is set out in detail here.

More broadly, the OSS VRP forms part of a $10 billion spending commitment made by Google in August 2021 at a White House gathering of the world’s biggest tech companies, including Amazon, Apple, IBM and Microsoft. the summit To support President Biden’s cybersecurity action plan.

In addition to OSS security, Google is also investing in zero-trust and supply chain security, and plans to help over a million people gain access to industry-recognized digital skills certifications.



Source link

Leave a Comment

Watch the Dior Spring Summer’23 fashion show #DIORSS23 Basketball Wives star Brooke Bailey announces daughter passes away in car accident Fortnite Season 3 Ends And Season 4 Begins Chrissy Teigen: I Didn’t Have A Miscarriage, I Had An Abortion ‘To Save My Life’ Don’t Worry Darling movie review
%d bloggers like this: