The new program tackles a major problem in the software community – a spike in supply chain compromises. Citing a report from the software firm Sonatype, Google noted that attacks targeting the open-source supply chain grew 650% year-over-year in 2021. Even single vulnerabilities, like the severe Log4j vulnerability that was discovered in December 2021, can wreak widespread havoc. Google’s new program encourages bug hunters to look for issues in up-to-date versions of open-source software (including repository settings) stored in the public repositories of Google-owned GitHub organizations (such as Google, GoogleAPIs and GoogleCloudPlatform). It also focuses on those projects’ third-party dependencies. SEE: These are the cybersecurity threats of tomorrow that you should be thinking about today The top awards will go to vulnerabilities found in the most sensitive projects that Google maintains, including Bazel, Angular, Golang, Protocol buffers and Fuchsia. Google also is encouraging bug hunters to look for problems that could have the greatest impact on the supply chain, which could include design issues that cause product vulnerabilities or security issues like leaked credentials. Rewards will range from $100 to $31,337, depending on the severity of the vulnerability and the project’s importance. “The larger amounts will also go to unusual or particularly interesting vulnerabilities, so creativity is encouraged,” Google added in its blog post. The OSS VRP is part of the $10 billion that Google has committed to spending on US cybersecurity. Google made the commitment last year following a meeting at the White House, where the Biden administration stressed that potential vulnerabilities in open-source software are a national security concern.
