Google will pay you up to Rs 25 lakh if you can find bugs in its open source projects

Google said in a blog post that it is launching its rewards programme for discoveries of vulnerabilities on its Google open source. The Google Open Source Software Vulnerability Rewards Program (OSS VRP) will reward researchers for finding bugs that could potentially impact the entire open source ecosystem. The prize, depending on the intensity of the bug, would amount up to $31,337 or around Rs 25 lakh.

“Depending on the severity of the vulnerability and the project’s importance, rewards will range from $100 to $31,337. The larger amounts will also go to unusual or particularly interesting vulnerabilities, so creativity is encouraged,” Google said in a blog post from Tuesday.

It said, “The top awards will go to vulnerabilities found in the most sensitive projects: Bazel, Angular, Golang, Protocol buffers, and Fuchsia. After the initial rollout we plan to expand this list.”

Google said that it is the maintainer of Golang, Angular, Fuchsia, and other major projects, and as such is among the largest contributors and users of open source in the world. It added that it has been committed to supporting security researchers and bug hunters for over a decade. The original VRP programme, aimed at rewarding those who make Google’s code more secure, is approaching its 12th anniversary. 

The VRP lineup has extended over time to include programmes for Chrome, Android, and more, rewarding over $38 million to more than 13,000 submissions. 

The new programme is an indication of the rising supply chain compromises, said Google. There was a 650 per cent on-year increase in attacks targeting the open-source supply chain. The new programme is part of Google’s $10 billion commitment to improve cybersecurity, it said. 

Submissions

The tech giant said that it will accept submissions in the following categories: 

• Vulnerabilities that lead to supply chain compromise
• Design issues that cause product vulnerabilities
• Other security issues including sensitive or leaked credentials, weak passwords, or insecure installations

“If your submission is particularly unusual, we’ll reach out and work with you directly for triaging and response. In addition to a reward, you can receive public recognition for your contribution. You can also opt to donate your reward to charity at double the original amount,” said Google.

In case the applicant is not sure whether the bug they have found is right for Google’s OSS VRP, Google will route the submission to a different VRP that can give the applicant the highest possible payout. 

Also read: Google removed over 2,000 loan apps from India Play Store since January: Official