What is OSS VRP Initiative
Google is planning to give out cash rewards for information on vulnerabilities found in any of its open source projects as a part of an undergoing attempt to strengthen the security of its open source code. The latest Open Source Software Vulnerability Rewards Program (OSS VRP), which adds to Google's Vulnerability Rewards Program, was declared in a blog post recently.
According to DarkReading "Google has already offered bounties for bugs in its Chrome browser and the Android mobile operating system, both of whose base code are managed as open source projects. The company paid out $2.9 million to 119 researchers for their reports of vulnerabilities in Android, with the highest reward hitting $157,000. Similarly, the company paid $3.3 million to 115 researchers for finding bugs in Chrome in 2021."
Google pays if you find the bug
Google is willing to pay experts up to $31,337 for giving details on vulnerabilities in open source software programs-specifically those administered by Google- that affect the firm's services and software.
Google's aim is to protect its own software supply chain, but since many non-Google developers use the company's open source software- like Go programming language and Angular Web framework- the initiative assures to promote securing the wider open source ecosystem too.
Initially, Google will emphasize critical and most widely used projects, Francis Perron says, who's an open source technical program manager at Google. He wants to provide a high-quality bug-hunting experience, so Google picked projects with enough maturity in their response and processes to test this program.
The project aims to secure the software supply chain
Widening the scope will happen after Google compiles enough internal data and assures that it can scale up without ruining the projects and experts. Protecting the software supply chain is now a crucial thing for technology firms and policymakers.
Earlier this year, the Biden administration met with open source organizations and technology firms to explore new ways to promote secure coding, finding more bugs, and speed patching of open source projects.
In 2021, Google pledged to invest $10 Billion over five years, the favorite effort by the OpenSSF, bringing a cybersecurity advisory group and supporting its Invisible Security zero trust initiative.
Google is proud to both support and is a part of the open-source software community. Through our existing bug bounty programs, we’ve rewarded bug hunters from over 84 countries and look forward to increasing that number through this new VRP, said Google.
