Google introduced a program to encourage found vulnerabilities in its own open source software. Rewards ranging from $101 to $31,337 will be paid for reporting bugs in projects such as Angular, GoLang, and Fuchsia, or vulnerabilities in third-party resources whose code contributes to such projects.
Programmers often use code from open source projects to avoid having to reinvent the wheel in every typical case. But since developers often directly import this code and its updates, its vulnerabilities are transferred to the software created with them.
Over the past few years, exploitation of these kinds of vulnerabilities has repeatedly threatened large companies. At Google, you can independently check open source software, but it is impossible to keep track of its entire “zoo” with limited forces.
The amount of payouts will depend on the severity of the bug, as well as the importance of the project in which it was discovered ( Fuchsia and the like are considered “flagship” projects, the highest reward is expected for work on them).
Researchers will have to inform the developers of a third-party project about the vulnerability found, and only after that contact Google. They will have to prove that the problem affects the Google project – if there is an error in a part of the library that the company does not use, it will not be allowed to participate in the program.
Also, Google will not pay for errors found in third-party services involved in the development, whose code is not borrowed. For example, if an issue is found in the GitHub settings or login system, it is not related to the rewards program.
The Vulnerability Finder Incentive Program for Google’s own products has been around for more than 10 years, and now you can get an award for third-party software. Google is trying to involve all possible resources in finding and eliminating vulnerabilities – the company recently said that the US government should be more actively involved in the development of open source software and ensuring its security.
Google also pays grants to Ukrainian startups:
The Google Foundation has selected 16 more Ukrainian startups that will receive grants (up to $100,000) — there are already 33 of them
Source: The Verge