On Tuesday, tech giant Google announced that it is launching its own bug bounty program that will focus specifically on detecting flaws in open-source software. According to Google, payouts will be anywhere from $100 to upwards of $31,000. The program is titled the Open Source Software Vulnerability Rewards Program. The payout will depend, much like other programs, on how severe the vulnerability found is. The program seeks to combat a recent spike in supply chain compromises impacting the industry. Google cited a report in which researchers found that open-source supply chain attacks grew by 650% year-over-year in 2021.
The new program will entice bug bounty hunters to search for issues and flaws in open-source software stored in public repositories of Google-owned GitHub organizations Google, GoogleAPIs, and GoogleCloudPlatform. Bug Bounty hunters who will receive the highest payouts will be those that find vulnerabilities in some of Google’s most sensitive projects, such as Bazel, Angular, Golang, and Fuchsia. Google is also encouraging those who will participate to look for problems that could have the biggest impacts on the supply chain.
Read More: Google’s new bug bounty program targets open-source vulnerabilities