To protect the ecosystem against supply chain threats, Google on Monday unveiled a new bug bounty program for its open source projects that offers rewards ranging from $100 to $31,337 (a reference to eleet or leet).
One of the first open source-specific vulnerability programs is known as the Open Source Software Vulnerability Rewards Program (OSS VRP).
Since the tech behemoth is responsible for maintaining important projects like Angular, Bazel, Golang, Protocol Buffers, and Fuchsia, the program attempts to encourage the disclosure of vulnerabilities that could otherwise have a big negative impact on the wider open source community.
These projects’ third-party dependencies and other Google-managed projects that are hosted on public repositories like GitHub are likewise acceptable.
Submissions from bug hunters are expected to meet the following criteria –
- Vulnerabilities that lead to supply chain compromise
- Design issues that cause product vulnerabilities
- Other security issues such as sensitive or leaked credentials, weak passwords, or insecure installations
Beefing up open source components, especially third-party libraries that act as the building block of many a software, has emerged a top priority in the wake of steady escalation in supply chain attacks targeting Maven, NPM, PyPI, and RubyGems.
A good example is the Log4Shell vulnerability in the Log4j Java logging library, which was discovered in December 2021 and caused extensive damage and served as a wake-up call for the need to improve the condition of the software supply chain.
According to Google’s Francis Perron and Krzysztof Kotowicz, “Last year saw a 650% year over year increase in attacks targeting the open source supply chain, including headliner incidents like Codecov and the Log4j vulnerability that showed the destructive potential of a single open source vulnerability.”
The action follows the implementation of a similar compensation scheme by Google in November of last year for identifying privilege escalation and Kubernetes escape vulnerabilities in the Linux Kernel. Since then, it has increased the ceiling from $50,337 to $91,337 through the end of 2022.
The internet giant also revealed the formation of a brand-new “Open Source Maintenance Crew” in early May with the goal of enhancing the security of crucial open source projects.