Google on Monday launched a brand new bug bounty program for its open supply initiatives, providing payouts anyplace from $100 to $31,337 (a reference to eleet or leet) to safe the ecosystem from provide chain assaults.
Referred to as the Open Supply Software program Vulnerability Rewards Program (OSS VRP), the providing is among the first open source-specific vulnerability applications.
With the tech big the maintainer of main initiatives akin to Angular, Bazel, Golang, Protocol Buffers, and Fuchsia, this system goals to reward vulnerability discoveries that might in any other case have a major affect on the bigger open supply panorama.
Different initiatives managed by Google and hosted on public repositories akin to GitHub in addition to the third-party dependencies which are included in these initiatives are additionally eligible.
Submissions from bug hunters are anticipated to satisfy the next standards –
- Vulnerabilities that result in provide chain compromise
- Design points that trigger product vulnerabilities
- Different safety points akin to delicate or leaked credentials, weak passwords, or insecure installations
Beefing up open supply elements, particularly third-party libraries that act because the constructing block of many a software program, has emerged a prime precedence within the wake of regular escalation in provide chain assaults concentrating on Maven, NPM, PyPI, and RubyGems.
Picture credit score: Sonatype |
The Log4Shell vulnerability within the Log4j Java logging library that got here to mild in December 2021 is a main instance, inflicting widespread havoc and changing into a clarion name for bettering the state of the software program provide chain.
“Final 12 months noticed a 650% year-over-year enhance in assaults concentrating on the open supply provide chain, together with headliner incidents like Codecov and the Log4j vulnerability that confirmed the harmful potential of a single open supply vulnerability,” Google’s Francis Perron and Krzysztof Kotowicz stated.
The transfer follows the same rewards program Google instituted final November for uncovering privilege escalation and Kubernetes escape exploits within the Linux Kernel. It has since upped the utmost quantity from $50,337 to $91,337 till the tip of 2022.
Earlier this Could, the web behemoth introduced the creation of a brand new “Open Supply Upkeep Crew” to concentrate on bolstering the safety of essential open supply initiatives.