Google Vulnerability Reward Program Focuses on Open Source Software
Google’s bug bounty program will be expanded to include a special open source section called the Open Source Software Vulnerability Rewards Program (OSS VRP), the company announced on its security blog.
Through this program, security researchers will thus receive a reward for finding security vulnerabilities in open source projects maintained by Google as well as their dependencies.
Rewards of up to $31,337 will be offered for researchers who can find bugs in the open source ecosystem.
Google Launches Rewards Program for OSS
Google initially wants to pay out the highest amounts for what it considers to be the most important projects, which include Bazel, Angular, the Go programming language, Protocol Buffers and Fuchsia.
To focus efforts on discoveries that have the greatest impact on the supply chain, Google is looking specifically for “vulnerabilities that lead to supply chain compromise, design issues that cause product vulnerabilities, and other security issues such as sensitive or leaked credentials, weak passwords or insecure installations.”
The company was one of the first to launch a bug bounty program and has been offering the so-called Vulnerability Rewards Program (VRP) for twelve years now. During this time, the scope of the software that falls under the program has been expanded again and again.
The new open source program includes all public projects in a GitHub repository belonging to Google.
In addition, the public projects’ dependencies are also explicitly included, provided that their maintainers are informed in advance by the researchers about their participation in the Google program.
Software Supply Chain Security
The fact that Google is also opening the extended bug bounty program to dependencies shows a change in awareness with regard to the so-called software supply chain.
According to Google, attacks on the software supply chain grew 650% last year alone and included the attacks at Codecov and the Log4j vulnerability.
The company is also one of the initiators of the Open Source Security Foundation (OpenSSF), which puts a lot of money into improving open source security.
“At first glance, this looks like a great addition,” said Mike Parkin, senior technical engineer at Vulcan Cyber, a provider of SaaS for enterprise cybersecurity risk remediation. “One of the advantages of OSS is that there are many eyes on the code and vulnerabilities are often discovered and fixed quickly.”
He says adding a bug bounty to open source projects gives researchers and coders more incentive to find and report issues before they become exploits in the wild.
“Google is a major contributor to the OSS community, and this really is putting their money where their mouth is,” he added.
Casey Bisson, head of product and developer enablement at BluBracket, a provider of code security solutions, pointed out that the world’s software is largely built on open source.
“As the steward of a number of open source projects, Google’s bounty program is a necessary response to the growing risk of software supply chain attacks,” he said.
He added that Google open sourced several projects as a way to expand its ecosystem and influence.
“Now, offering security bounties for those projects brings them a similar level of protection that Google offers for its other ‘as-a-service’ offerings,” Bisson explained.
Parkin said beyond funding bug bounty programs for open source projects, large vendors could do even more to support the communities that keep open source alive.
“Some of them already do, which is great, but there are a lot of tech companies that benefit from OSS projects without really giving much back,” he added. “There are a lot of open source projects that don’t have a large organization backing them up, but still add a lot of value to the OSS ecosystem.”
From Parkin’s perspective, it would be good to have some kind of bug bounty pool that could pay out for vulnerabilities discovered in those projects.
“While it might be a challenge to manage something like that, there’s no doubt it would be a benefit to the community overall,” he said.
Bisson agreed that companies of all types should consider offering security bounties for the systems they depend on.
“People probing security vulnerabilities are looking to get paid, so offering a bounty to the person who discovers it can help uncover risks that might otherwise get sold to bad actors,” he explained.
Those malicious actors might use the vulnerability for escalated attacks including ransomware, source code and secrets, extraction of customer and employee records and further attacks against adjacent systems and partners.
“Google’s bounty program is a good step to protecting their software, but the vast landscape of open source that enterprises depend on remains at risk,” Bisson said.
