1. Forum
  2. tqwNet
  3. TQW_GENTECH

  • Google will now pay bounties for open source software bugs

    From TechnologyDaily@1337:1/100 to All on Wed Aug 31 14:30:03 2022
    Google will now pay bounties for open source software bugs

    Date:
    Wed, 31 Aug 2022 13:19:55 +0000

    Description:
    Googles latest OSS VRP promises up to $31,337 if you find an unusual or particularly interesting vulnerability.

    FULL STORY ======================================================================

    Google has launched a new program that will pay bounties for bugs found in
    its open source projects.

    The Open Source Software Vulnerability Rewards Program (OSS VRP) is the
    latest addition to the tech giants existing VRPs offering up cash for discoveries.

    The company says that its first VRP, aimed at those who helped secure Googles code, was one of the first in the world. Already in its second decade of operation, Google is keen to highlight its commitment to supporting security researchers and bug hunters. Google OSS bugs

    Google says the VRPs cover various Chrome and Android code across the
    companys wider operations, which have resulted in over $38 million being paid out to more than 13,000 contributions, from a total of 84 countries.

    Furthermore, Google has pledged to invest $10 billion to improve
    cybersecurity among its own users and open source software consumers.

    Google cites Codecov and Log4j as two of the most prominent incidents which have contributed to last years 650% year-on-year increase in OSS supply chain-targeted attacks. Read more

    Check out the best patch management software



    Open source bug leaves hundreds of thousands of sites open to attack



    Google might actually be the best friend for open-source software right now

    Googles Security Blog says the OSS VRP focuses on all up-to-date versions of OSS stored in the Google-owned GitHub organization spaces, such as GoogleAPIs and GoogleCloudPlatform, though the top awards are reserved for the most sensitive projects, which Google sets out to be Bazel, Angular, Golang, Protocol buffers, and Fuchsia; a list thats expected to expand after the initial program rollout.

    The targets for any hunters include: vulnerabilities that lead to supply
    chain compromise; design issues that cause product vulnerabilities; [and] other security issues such as sensitive or leaked credentials, weak
    passwords, or insecure installations.

    Rewards range from a measly $100 to a substantial $31,337, depending on the severity of the vulnerability uncovered, however any applicable bugs that are found that do not relate specifically to this VRP shall not be wasted, with Google promising to redirect any findings to the relevant VRP (and pot of cash). These are the best endpoint protection and antivirus software around



    ======================================================================
    Link to news story: https://www.techradar.com/news/google-will-now-pay-bounties-for-open-source-so ftware-bugs/


    --- Mystic BBS v1.12 A47 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)