Tech giant Google addresses open source security concerns through the implementation of a vulnerability rewards initiative
Google has announced the launch of its Open Source Software Vulnerability Rewards Program (OSS VRP), a new initiative aimed at strengthening the security of open source software. The program is part of Google's ongoing efforts to address the growing threat of supply chain attacks on open source software.
The OSS VRP focuses on two main areas: up-to-date versions of open source software within Google-owned GitHub organizations and third-party dependencies of those projects. The program will reward researchers for discovering vulnerabilities that could lead to supply chain compromise, design issues that could result in product vulnerabilities, and sensitive security issues.
Google was one of several major technology firms that advocated for the White House to improve the security of open source software. The company has a long history of investing in open source security, having paid over $38 million on more than 13,000 submissions since the launch of its original bug bounty program over a decade ago.
The new program will offer rewards ranging from $100 to $31,337, depending on the severity of the vulnerability or the importance of the project. Top rewards will be given for vulnerabilities found in the most sensitive projects, which include Bazel, Angular, Golang, Protocol buffers, and Fuchsia. Google is one of the largest contributors to open source, maintaining projects such as Golang, Angular, and Fuchsia.
Francis Perron, open source security technical program manager at Google, stated that the new VRP scope highlights the importance of rewarding security research in the open source ecosystem and the importance of vulnerability disclosure in open source.
The three most important open source projects that Google will add during the initial rollout period of the OSS VRP are not explicitly listed in the available search results. However, Google plans to expand the list of sensitive projects after an initial rollout period.
The new OSS VRP was announced on Tuesday. The program targets vulnerabilities in projects stored in public repositories of Google-owned GitHub organizations and their third-party dependencies. In the past year, supply chain attacks aimed at open source have skyrocketed by 650%, including incidents like Codecov and Log4Shell.
Google's investment in the OSS VRP is part of its commitment to enhancing open source security. The company has invested over $7.5 million in the past year to this end, with the new program being a significant part of this effort. The OSS VRP is a testament to Google's dedication to ensuring the security and integrity of open source software, a critical component of the digital world.
Read also:
- Unveiling the Less-Discussed Disadvantages of Buds - Revealing the Silent Story
- Rapid Expansion in Organic Rice Protein Market Projected at 15.6% Through 2034
- The Virtual Commissioning Market is projected to exceed $4.86 billion by the year 2034.
- Kenya broadens economic zones featuring Olkaria's geothermal energy advantage
