Additionally, VRP will cover security flaws in third-party dependencies in Google OSS. The company says the security of its dependencies is a critical element of the security of a software package. So it’s only fitting to cover those too. But security researchers require to first report the vulnerabilities to the vendor of the third-party dependencies and ensure a fix for it before taking up the matter to Google for reward. You need to submit the issue details to Google within 30 days of the third-party vendor releasing a fix. You also must be able to demonstrate that the third-party vulnerability can be exploited in Google OSS. In a detailed post on its Bug Hunters website, Google states that discovering vulnerabilities in third-party services or platforms used to maintain and build Google OSS will now make you eligible for rewards under VRP. “We cannot authorize you to conduct security research of assets that belong to other users and companies on their behalf,” the Android maker says. As far as qualifying vulnerabilities are concerned, Google will pay researchers for finding issues such as supply chain compromises, product vulnerabilities, and other security bugs in its open-source software. According to Android Police, who first reported this expansion of Google’s VRP, open-source supply chains have become a major target for hackers to use as attack vendors. Such attacks saw a 650 percent annual increase in 2021. Covering open-source projects under VRP could go a long way in ensuring the security of Google software.
Finding a bug in Google open-source software may earn you hefty rewards
As usual, Google has multiple reward tiers with varying payouts. Vulnerabilities discovered in flagship OSS projects, which include Bazel, Angular, Golan, Protocol buffers, and Fuchsia could earn you rewards of more than $31,000. The reward amount tops out at $13,337 for standard OSS projects, while the company doesn’t specify the amount for low-priority OSS projects. The reward amount also depends on the vulnerability type. Supply chain compromises earn you more than product vulnerabilities and other security issues. If you’re a security researcher, you can visit Google’s Bug Hunters website for more details. You will find all the technical information on the project tiers, qualifying vulnerabilities, bug reporting, and more there.