New bug bounty from Google targets free software vulnerabilities


New bug bounty from Google targets free software vulnerabilities

Google announced Tuesday, August 30, the launch of a new bug bounty program focused specifically on open source software. Vulnerability hunters can earn between $100 and $31,000 through this new program, depending on the severity of the discovery.

“The higher amounts will also go to finding unusual or particularly interesting vulnerabilities, so creativity is encouraged,” Google points out in its blog post.

Attacks based on flaws in open source software

This new program addresses a major problem in the software community. Citing a report from Sonatype, Google notes that attacks targeting weaknesses in open source software grew 650% year-over-year in 2021. Even isolated vulnerabilities, like the severe Log4j vulnerability discovered in December 2021, can wreak havoc on a large scale.

Google’s new program encourages bug hunters to snoop around the latest versions of open-source software stored in public Google-owned GitHub repositories (such as Google, GoogleAPIs, and GoogleCloudPlatform).

It also focuses on the third-party dependencies of these projects.

Meeting at the White House

The first awards will be given to vulnerabilities discovered in Google’s most sensitive projects, including Bazel, Angular, Golang, Protocol buffers and Fuchsia.

Google also encourages security researchers to research issues that may have the greatest impact on the software industry, including design issues that cause product vulnerabilities or security issues such as software information leaks. ‘identification.

This new program is part of the broader plan to $ 10 billion that Google has committed to devote to cybersecurity in the United States. Google made the pledge last year following a meeting at the White House, where the Biden administration highlighted potential vulnerabilities in open-source software as a national security concern.

Source: ZDNet.com





Source link -97