Google launches bug bounty to protect its open-source projects

31 Aug 2022

Image: © MoiraM/

Google is offering up to $31,337 for vulnerabilities found in its own open-source projects and third-party dependencies.

Google is now paying people who find security flaws in its open-source projects through a new bug bounty scheme.

The rewards range from $100 to $31,337, depending on the severity of the vulnerability and the project’s importance. Larger amounts will also go to unusual or “particularly interesting” vulnerabilities, Google said.

It added that its new Vulnerability Rewards Programme (VRP) is prioritising discoveries that have the greatest impact on the supply chain. This includes vulnerabilities that lead to supply chain compromises, design issues in products or security issues such as leaked credentials or weak passwords.

“The top awards will go to vulnerabilities found in the most sensitive projects: Bazel, Angular, Golang, Protocol Buffers and Fuchsia,” Google said in a blogpost yesterday (30 August). “After the initial rollout we plan to expand this list.”

The tech giant will also pay for vulnerabilities found in the third-party dependencies of Google projects.

Supply chain attacks

At the beginning of this year, major US tech companies including Google and GitHub came together at a White House summit to discuss ways to make the open-source software space more secure.

Google said this bug bounty was created to address growing issue of supply chain compromises in open-source projects. A report by Sonatype claims there was a 650pc increase last year in open-source supply chain attacks.

Google also referenced key examples of vulnerabilities such as the Log4j flaw, which is expected to remain an issue in systems for a decade or longer.

Google’s original VRP was established nearly 12 years ago and was expanded over the years to focus on areas such as Chrome and Android security issues.

“Collectively, these programmes have rewarded more than 13,000 submissions, totalling over $38m paid,” the company said. “Through our existing bug bounty programmes, we’ve rewarded bug hunters from over 84 countries and look forward to increasing that number through this new VRP.”

An analysis by Aiven this month showed that Google has increased its commitments to open-source software recently, overtaking Microsoft in terms of active contributors.

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.

Leigh Mc Gowran is a journalist with Silicon Republic