Google expands bug bounty program to prevent supply chain attacks

0
15
google expands bug bounty program to prevent supply chain attacks.jpg
google expands bug bounty program to prevent supply chain attacks.jpg

From now on, security researchers can let off steam in open source software from Google and third parties to screen out vulnerabilities. There are cash rewards for doing so.

Technology company Google has launched its new open source Software Vulnerability Rewards Program (OSS VRP). Participating security researchers should, among other things, check the open source projects of the company Angular and Golang for security gaps. But third-party tools are also in focus. There is a maximum of up to almost 31,000 US dollars as a reward for vulnerabilities found.

As can be seen from an article, Google primarily wants to take action against supply chain attacks. These are attacks on vulnerabilities in open source software that are used in other applications and thus make them vulnerable as well. This was the case, for example, with the Log4Shell vulnerability in the widely used Java library Log4j. According to a report by Sonatype, supply chain attacks increased by 650 percent in 2021.

Google summarizes important facts and rules about the OSS VRP on a subpage. In addition to software in the company’s repositories, security researchers should also look at vulnerabilities in third-party dependencies. Gaps discovered there should first be reported to the people responsible so that they can develop patches before Google finds out about them.

The company wants to pay the highest premiums for vulnerabilities that enable supply chain attacks. For example, when attackers can manipulate code in repositories so that program packages downloaded by programmers are contaminated with malicious code. But Google also wants to compensate for finding publicly available passwords and weak algorithms for passwords in the open source area.

SEE ALSO  The B side of Google Gemini is that it saves your conversations for years. So you can avoid it

The normal in-house bug bounty program for apps like Chrome has been around for 12 years. Google says it has paid out $38 million in rewards so far.