Google has launched the Open Source Vulnerability Rewards Program (OSS VRP) to reward discoveries of vulnerabilities in Google’s open-source projects.
Google said in a blog post on Tuesday that the new vulnerability rewards program (VRP) program addresses the recent rise of supply chain compromises. Last year saw a 650% year-over-year increase in attacks targeting the open-source supply chain, including major incidents such as Codecov and the Log4j vulnerability.
Google said the new OSS VRP program was part of the company's $10 billion commitment to improving cybersecurity, including securing the supply chain against these types of attacks for both Google’s users and open source consumers worldwide.
Securing open-source software and the broader software supply chain remain a top concern for security organizations globally, said Dave Gerry, chief operating officer at Bugcrowd. Gerry said by leveraging the human-intelligence of the researcher community, Google shows that it's are committed to ensuring that their open-source projects are secure.
“This represents a great step being taken by a leader in OSS to ensure they are providing secure OSS components,” Gerry said.
Casey Bisson, head of product and developer enablement at BluBracket, said software and most cloud apps are largely built on open source. Bisson said as the steward of a number of open source projects, Google’s bounty program stands as a necessary response to the growing risk of software supply chain attacks.
“Google has open-sourced a number of projects as a way to expand its ecosystem and influence,” Bisson said. “Now, offering security bounties for those projects brings them a similar level of protection that Google offers for its as-a-service offerings.”
Mike Parkin, senior technical engineer at Vulcan Cyber, said Google has become a major contributor to the open-source software (OSS) ecosystem, and it’s good to see them supporting their OSS projects with a bug bounty program. Parkin said OSS projects already have the advantage of having more eyes on the code, which leads to vulnerabilities often being found and fixed quickly.
“A bug bounty program like this will incentivize people to take a deeper look,” Parkin said. “Ideally, a program like this could expand outside of ‘sponsored’ projects with ties to large tech companies to help other vital, but not as well-funded, OSS projects.”
Chloé Messdaghi, chief impact officer at Cybrary, added that it’s great to see leaders in the security community stepping up and creating a bridge between security researchers, the broader hacker community, and Google. Messdaghi said the hacker community loves to know that when they contribute, they are seen and appreciated.
“When companies step up with bounty programs to the broader community, it elevates the entire field of security contributors,” Messdghi said. “Google’s actions here push the bounty program down further into the security ecosystem. Anytime a company institutes a bug bounty program, they are making a statement that this is important and it invites others in the community to do the same. This creates a much safer environment for the ‘white hat’ hackers who may exist in the spaces between the inside security teams and the outer freelance world.”