Colin Mc Hugo

0 %
Colin Mc Hugo
Security Engineer Manager & CEO at Quantum Infinite Solutions Group Ltd.

Google Launches New Open Source Bug Bounty to Tackle Supply Chain Attacks

August 31, 2022

Google on Monday presented a brand-new pest bounty program for its open resource jobs, providing payments anywhere from $100 to $31,337 (a recommendation to eleet or leet) to safeguard the community from supply chain strikes.

Called the Open Resource Software Program Susceptability Benefits Program (OSS VRP), the offering is just one of the very first open source-specific susceptability programs.

With the technology titan the maintainer of significant jobs such as Angular, Bazel, Golang, Procedure Buffers, as well as Fuchsia, the program intends to compensate susceptability explorations that might or else have a substantial effect on the bigger open resource landscape.

Various other jobs handled by Google as well as held on public databases such as GitHub in addition to the third-party dependences that are consisted of in those jobs are likewise qualified.


Submissions from pest seekers are anticipated to fulfill the complying with requirements –

  • Susceptabilities that bring about provide chain concession
  • Style concerns that create item susceptabilities
  • Various other safety and security concerns such as delicate or dripped qualifications, weak passwords, or unconfident setups

Intensifying open resource parts, specifically third-party collections that function as the foundation of numerous a software application, has actually arised a leading concern following stable acceleration in supply chain strikes targeting Virtuoso, NPM, PyPI, as well as RubyGems.

Supply Chain Attacks
Photo credit score: Sonatype

The Log4Shell susceptability in the Log4j Java logging collection that emerged in December 2021 is an archetype, triggering prevalent chaos as well as coming to be a clarion ask for boosting the state of the software application supply chain.


” In 2014 saw a 650% year-over-year increase in strikes targeting the open resource supply chain, consisting of headliner occurrences like Codecov as well as the Log4j susceptability that revealed the harmful possibility of a solitary open resource susceptability,” Google’s Francis Perron as well as Krzysztof Kotowicz said.

The step adheres to a comparable benefits program Google set up last November for discovering advantage acceleration as well as Kubernetes get away ventures in the Linux Bit. It has given that upped the maximum amount from $50,337 to $91,337 up until completion of 2022.

Previously this Might, the web leviathan introduced the development of a brand-new “Open Resource Upkeep Staff” to concentrate on strengthening the safety and security of important open resource jobs.

Posted in SecurityTags:
Write a comment