Google has launched a program aimed at rewarding the discoveries of vulnerabilities found in its open source software projects, such as Golang, Angular and Fuchsia, as well as Google open source third-party dependencies.
The program will offer rewards ranging from $100 to $31,337 for vulnerabilities that lead to supply chain compromise, design issues that could cause product vulnerabilities, and other security issues like leaked credentials, weak passwords or insecure installations. Top rewards will go to flaws found in the “most sensitive projects,” such as Bazel, Angular, Golang, Protocol buffers and Fuchsia, but the program includes all up-to-date versions of open source software stored in the public repositories of Google-owned GitHub organizations, and those projects’ third-party dependencies.
“Google’s Open Source Software Vulnerability Reward Program recognizes the contributions of security researchers who invest their time and effort in helping us secure open source software released by Google (Google OSS),” according to the program rules. “Through this program, we provide monetary rewards and public recognition to researchers who disclose vulnerabilities in Google OSS to us.”
For third-party dependencies, Google asked researchers to report directly to the owner of the vulnerable package first to “ensure that the issue is addressed upstream” before letting them know of the details. Google, one of the largest maintainers, contributors and users of open source, in 2021 contributed $1 million to Secure Open Source, a pilot program run by the Linux Foundation that rewards developers working to improve open source project security.
Overall, the open source software ecosystem is a lucrative target for attackers, as seen both through the SolarWinds attack and fallout from the Log4j vulnerability. Google said that attacks targeting the open source supply chain increased by 650 percent last year. The inherent security issues that exist in the open source software ecosystem have recently been discussed by the U.S. government, which in the months after the discovery of Log4j mulled over a proposal to set up an independent clearing house to offer support and match volunteers with open source projects that need help. Open source foundations themselves have also offered up solutions, including the Open Source Security Foundation's Alpha-Omega project that aims to help the maintainers of thousands of critical open source software projects find and fix security vulnerabilities in their code.
Katie Moussouris, founder and CEO of Luta Security, praised Google for its various efforts in aiming to secure open source software, but also noted that a bug bounty program alone “doesn’t necessarily present the way that we’re going to dig our way out of this open source supply chain dependency disaster that we found ourselves in as an ecosystem.”
Moussouris, a member of the Cyber Safety Review Board that recently released a number of recommendations based on a review of the Log4j vulnerability, said maintainers need access to security experts that can perform security reviews earlier in the lifecycle.
“It’s not who can find more flaws, but who can prevent more flaws,” said Moussouris. “I think we’re still missing some folks with key knowledge and understanding of secure development, and that’s what we need an infusion of in open source, as opposed to more bounty money to find flaws.”