Google on Monday introduced a new bug bounty program for its open source projects, offering payouts anywhere from $100 to $31,337 (a reference to eleet or leet) to secure the ecosystem from supply chain attacks.
Called the Open Source Software Vulnerability Rewards Program (OSS VRP), the offering is one of the first open source-specific vulnerability programs.
With the tech giant the maintainer of major projects such as Angular, Bazel, Golang, Protocol Buffers, and Fuchsia, the program aims to reward vulnerability discoveries that could otherwise have a significant impact on the larger open source landscape.
Other projects managed by Google and hosted on public repositories such as GitHub as well as the third-party dependencies that are included in those projects are also eligible.
Submissions from bug hunters are expected to meet the following criteria -
Vulnerabilities that lead to supply chain compromise
Design issues that cause product vulnerabilities
Other security issues such as sensitive or leaked credentials, weak passwords, or insecure installations
Beefing up open source components, especially third-party libraries that act as the building block of many a software, has emerged a top priority in the wake of steady escalation in supply chain attacks targeting Maven, NPM, PyPI, and RubyGems.
The Log4Shell vulnerability in the Log4j Java logging library that came to light in December 2021 is a prime example, causing widespread havoc and becoming a clarion call for...
Read Full Story: https://thehackernews.com/2022/08/google-launches-new-open-source-bug.html
Your content is great. However, if any of the content contained herein violates any rights of yours, including those of copyright, please contact us immediately by e-mail at media[@]kissrpr.com.
