Open your eyes wide, because Google could reward you. The tech giant has one goal in mind: to find perfection, or at least come close to it, in its open source software. For this reason, it will reward those who find errors in it and help it to polish it internally.
This collaborative process takes place thanks to an innovative reward payment program, called the Open Source Software Vulnerability Reward Program, known in English by the acronym OSS VRP. It is the latest of the options added to Google’s existing VRPs, offering money for these discoveries. It should be remembered that the VRP that helped secure Google’s code was one of the first in the world.
With this new program, Google wants to strengthen its commitment to support security researchers and those known as “bug hunters”. In fact, the company highlights that the VRPs that cover Android and Chrome open source code have already paid a whopping 38 million dollars to more than 13,000 contributions in almost a hundred countries around the world.
The importance of increasing cybersecurity among its users and consumers of open source software has led Google to invest 10,000 million dollars in it. Among the most important incidents that the technology company has suffered, and that it wants to avoid, are Log4j and Code, which increased attacks by 650% targeting the OSS supply chain.
How to receive Google rewards
In this sense, the OSS VRP works on all the versions stored in the GitHub organization spaces -which is owned by Google-, such as GoogleAPIs and GoogleCloudPlatform. Although yes, the most important rewards are focused on detecting errors in projects that are more prone to attacks. What Fuchsia, Golang, Protocol buffers, Angular and Bazelamong others.
Google will reward people who find vulnerabilities that lead to compromise supply chain. Also for discovering certain design problems that can cause vulnerabilities in the products; as well as for locating sensitive or leaked credentials, passwords that are too weak, or insecure installations.
The amounts are very varied and will always depend on what the bounty hunters find. The greater the vulnerability, the greater the amount of the reward. These will always be in a fork of between 100 and 31,000 dollars. At least judging by the data of the payments made so far.
Whenever a bug is reported by a researcher, Google will study whether or not the vulnerability actually exists in its open source software. If so, you will share it a minimum of 30 days after the fix is available.
