Google to award up to $31,337 in new open-source bug bounty program

Search giant Google has launched a new bug bounty programme where it will award up to $31,337 (nearly ₹25 lakh) to researchers who spot vulnerabilities in the company's open-source projects.

Bug bounties are monetary rewards given to security researchers or ethical hackers for finding vulnerabilities or security flaws in apps, services or operating systems. Big technology companies such as Apple, Google, Microsoft, Meta, Amazon, among others have multiple bug bounty programmes on offer.

In a recent blog post, Google said, depending on the severity of the vulnerability and the project's importance, rewards will range from $100 to $31,337.

The larger amounts will also go to unusual or particularly interesting vulnerabilities, so as to encourage creativity, Google said while launching its Open-Source Software Vulnerability Rewards Programme (OSS VRP) that applies to software available on public repositories of Google-owned GitHub organisations as well as some repositories from other platforms.  

With the addition of Google's new VRP, researchers can now be rewarded for finding bugs that could potentially impact the entire open-source ecosystem. The original VRP programme was one of the first in the world and is now approaching its 12th anniversary.

"Over the time, our VRP line-up has expanded to include programmes focused on Chrome, Android, and other areas. Collectively, these programs have rewarded more than 13,000 submissions, totalling over $38 million paid," Google said. "The top awards will go to vulnerabilities found in the most sensitive projects: Bazel, Angular, Golang, Protocol buffers, and Fuchsia," it added.

Google said that its OSS VRP is part of its "$10 billion commitment to improving cybersecurity. That includes, securing the supply chain against these types of attacks for both Google's users and open-source consumers worldwide".

Last year, Google saw a 650% year-over-year surge in attacks targeting the open-source supply chain.