August 31, 2022

Google has launched a new bug bounty program that will focus on open-source software.

As attacks on the open-source supply chain leaped 650% year-over-year in 2021 compared to the previous year, the new program will address the steep increase in supply chain compromises.

The new program encourages bug hunters to look for issues in up-to-date versions of open-source software, including the settings for repositories stored in the public repositories of Google-owned GitHub organizations.

Google also invites bug hunters to look for issues that could have the biggest impact on the supply chain, such as design issues that cause product vulnerabilities or security issues such as leaked credentials.

Depending on the severity of the vulnerability and importance of the project, the price ranges from $100 to $31,337.

The program is known as the new Open-Source Software Vulnerability Rewards Program (OSS VRP). The OSS VRP is part of the $10 billion that Google promised to pump into the U.S. cybersecurity space.

The company made the commitment last year after a White House meeting when the Biden administration pushed for better security against cyberattacks on U.S. organizations.

The sources for this piece include an article in ZDNet.