Highlights:

  • Google announced the establishment of the Open-Source Software Vulnerability Rewards Program (OSS VRP), which awards researchers who discover vulnerabilities in the open-source ecosystem up to USD 31,337 in rewards.
  • Providers like Google are attempting to rebuild trust in the software supply chain by incentivizing researchers to uncover and address flaws.

Numerous firms utilize open-source software to perform vital services and operations. However, they have no control over the maintenance of these components. This is why an increasing number of private firms are identifying and fixing vulnerabilities before attackers can exploit them.

It is here that Google announced the establishment of the Open-Source Software Vulnerability Rewards Program (OSS VRP), which awards researchers who discover vulnerabilities in the open-source ecosystem up to USD 31,337 in rewards.

The launch demonstrates that a crowdsourced approach to security can address vulnerabilities in widely used (but historically underfunded and undermaintained) open-source projects and eliminate possible entry points into business systems.

Restoring the software supply chain

The OSS VRP release comes at a time when concerns over assaults on the software supply chain have reached an all-time high following the disclosure of zero-day vulnerabilities such as Log4j and Log4Shell, as well as colossal data breaches affecting providers such as SolarWinds and Codecov.

This concern was justified since threat actors were also aggressively looking to target software supply chain vulnerabilities, with assaults targeting the open-source software supply chains growing by 650% between 2020 and 2021.

When all of these factors are considered together, they have significantly impacted people’s confidence in the security of open-source software. According to research findings, 41% of firms do not have a high confidence level in the security of their open-source software.

However, providers like Google are attempting to rebuild trust in the software supply chain by incentivizing researchers to uncover and address flaws.

As part of the new program, researchers will be compensated according to the severity of the vulnerability they identify. The most significant payouts will go to those who find flaws in critical projects such as Bazel, Angular, Golang, Protocol buffers, and Fuchsia.

The broader open-source security landscape

It’s not just Google. There are other organizations as well who are playing a more significant role in defining open-source security.

Earlier this year, at the White House Open-Source Security Summit II, coordinated by the Linux Foundation and the Open Source Software Security Foundation (OpenSSF), 90 executives from 37 firms convened to explore ways to safeguard the open-source supply chain.

Amazon, Microsoft, Ericsson, Intel, VMware, and Google, among others, donated more than USD 30 million during the event to increase the security of open-source software.

Notably, this announcement follows Google’s involvement in the NIST/NSF/U.S. OMB’s Open-Source Software Security Initiative Workshop. It will assist the company in accomplishing its USD 10 billion goal to enhance cybersecurity.

At present, Microsoft provides consultancy services for the OSS SSC Framework to aid enterprises in establishing a governance program to manage the use of open-source software. Yet, there are a few bug bounty programs that focus on open-source projects as opposed to closed product ecosystems.

The average compensation offered by HackerOne’s bug bounty program for identifying vulnerabilities affecting open-source software projects is USD 500.

As more firms see the importance of crowdsourced security in minimizing the risks associated with open-source software, we may anticipate an increase in the number of vulnerability disclosure and bug reward programs.

Google launches vulnerability reward program to secure open-source software

The security of open-source software requires a complete overhaul. Numerous firms rely on open-source software for mission-critical services and operations yet have little influence over how these components are maintained.

Therefore, an increasing number of private businesses are stepping up to assist in identifying and fixing vulnerabilities before attackers exploit them.

Google announced the establishment of the Open-Source Software Vulnerability Incentives Program (OSS VRP), which awards researchers who discover vulnerabilities in the open-source ecosystem up to USD 31,337 in rewards.

The launch demonstrates that a crowdsourced approach to security can address vulnerabilities in widely used (but historically underfunded and undermaintained) open-source projects and eliminate possible entry points into business systems.