{"id":27729,"date":"2022-08-31T10:20:28","date_gmt":"2022-08-31T14:20:28","guid":{"rendered":"https:\/\/www.itworldcanada.com?p=500722"},"modified":"2022-08-31T11:14:54","modified_gmt":"2022-08-31T15:14:54","slug":"google-expands-bug-bounty-program-to-cover-github-and-other-open-source-projects","status":"publish","type":"post","link":"https:\/\/technewsday.com\/staging\/google-expands-bug-bounty-program-to-cover-github-and-other-open-source-projects\/","title":{"rendered":"Google expands bug bounty program to cover GitHub and other open source projects"},"content":{"rendered":"<p data-ar-index=\"0\">Google is adding to its bounty program that pays for the discovery of application vulnerabilities.<\/p>\n<p data-ar-index=\"1\">On Tuesday the company launched the <a href=\"https:\/\/bughunters.google.com\/about\/rules\/6521337925468160\/google-open-source-software-vulnerability-reward-program-rules\">Open Source Software Vulnerability Rewards Program (OSS VRP)<\/a> to reward discoveries of bugs in Google\u2019s open source projects.<\/p>\n<p data-ar-index=\"2\">That covers all up-to-date versions of open source software (including repository configuration settings such as GitHub Actions) stored in the public repositories of Google-owned GitHub organizations (such as <a href=\"https:\/\/github.com\/google\">Google<\/a>, <a href=\"https:\/\/github.com\/googleapis\/\">GoogleAPIs<\/a>, <a href=\"https:\/\/github.com\/GoogleCloudPlatform\">Google Cloud Platform<\/a>, as well as projects that Google maintains, such as the <a href=\"https:\/\/github.com\/golang\">Golang<\/a> Go programming language, the <a href=\"https:\/\/github.com\/angular\">Angular<\/a> web developers platform and the <a href=\"https:\/\/fuchsia.dev\/\">Fuchsia<\/a> operating system.<\/p>\n<p data-ar-index=\"3\">\u201cThe addition of this new program addresses the ever more prevalent reality of rising supply chain compromises,\u201d Google said. \u201cLast year saw a <a href=\"https:\/\/www.sonatype.com\/hubfs\/Q3%202021-State%20of%20the%20Software%20Supply%20Chain-Report\/SSSC-Report-2021_0913_PM_2.pdf?hsLang=en-us\">650 per cent year-over-year increase<\/a> in attacks targeting the open source supply chain, including headliner incidents like Codecov and the Log4j vulnerability that showed the destructive potential of a single open source vulnerability.<\/p>\n<p data-ar-index=\"4\">\u201cGoogle\u2019s OSS VRP is part of our <a href=\"https:\/\/blog.google\/technology\/safety-security\/why-were-committing-10-billion-to-advance-cybersecurity\/\">US$10 billion commitment to improving cybersecurity<\/a>, including securing the supply chain against these types of attacks for both Google\u2019s users and open source consumers worldwide.\u201d<\/p>\n<p data-ar-index=\"5\">The overall program includes rewards for finding vulnerabilities in Google products such as Chrome, Android, Pixel smartphones, the Google Nest line of smart home products, Fitbit smartwatches, certain apps in the Google Play store, and other areas. Over the past 12 years, this program has rewarded more than 13,000 submissions, with over US$38 million paid out.<\/p>\n<p dir=\"ltr\" data-ar-index=\"6\">The new program not only focuses on Google\u2019s open source projects but also those projects\u2019 third-party dependencies (with prior notification to the affected dependency required before submission to Google\u2019s OSS VRP).<\/p>\n<p dir=\"ltr\" data-ar-index=\"7\">The top awards will go to vulnerabilities found in the most sensitive projects: <a href=\"https:\/\/github.com\/bazelbuild\">Bazel<\/a>, Angular, Golang, <a href=\"https:\/\/github.com\/protocolbuffers\">Protocol buffers<\/a>, and Fuchsia. After the initial rollout that list will be expanded.<\/p>\n<p dir=\"ltr\" data-ar-index=\"8\">The program is looking for<\/p>\n<ul>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">vulnerabilities that lead to supply chain compromise;<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">design issues that cause product vulnerabilities;<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">other security issues such as sensitive or leaked credentials, weak passwords, or insecure installations.<\/p>\n<\/li>\n<\/ul>\n<p dir=\"ltr\" data-ar-index=\"9\">Depending on the severity of the vulnerability and the project\u2019s importance, rewards will range from US$100 to US$31,337. The larger amounts will also go to unusual or particularly interesting vulnerabilities, so creativity is encouraged.<\/p>\n<p dir=\"ltr\" data-ar-index=\"10\">See the <a href=\"https:\/\/bughunters.google.com\/about\/rules\/6521337925468160\/google-open-source-software-vulnerability-reward-program-rules\">program rules<\/a> for more information.<\/p>\n<p data-ar-index=\"11\">The post <a href=\"https:\/\/www.itworldcanada.com\/article\/google-expands-bug-bounty-program-to-cover-github-and-other-open-source-projects\/500722\">Google expands bug bounty program to cover GitHub and other open source projects<\/a> first appeared on <a href=\"https:\/\/www.itworldcanada.com\/\">IT World Canada<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Additions cover Google APIs, Golang, Angular, Fuchsi<\/p>\n","protected":false},"author":17,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[66,16,422],"tags":[649,391,40,507,393,650],"class_list":["post-27729","post","type-post","status-publish","format-standard","hentry","category-open-source","category-security","category-supply-chain","tag-bounty","tag-di","tag-google","tag-open-source-software","tag-security-strategies","tag-vulnerabilities"],"acf":[],"_links":{"self":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/27729","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/users\/17"}],"replies":[{"embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/comments?post=27729"}],"version-history":[{"count":2,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/27729\/revisions"}],"predecessor-version":[{"id":27731,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/27729\/revisions\/27731"}],"wp:attachment":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/media?parent=27729"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/categories?post=27729"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/tags?post=27729"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}