Google LLC is launching another bug hunting program for coders, offering to pay cash rewards to anyone who can discover vulnerabilities in the open-source software projects it heads up.

The Open Source Software Vulnerability Rewards Program announced today is the latest addition to Google’s family of Vulnerability Reward Programs and is focused on rewarding researchers who find bugs that could harm some of the world’s most widely used open-source projects.

Google is the chief maintainer of numerous major open-source projects. For instance, it heads up the development of the Golang programming language, the TypeScript-based web application framework Angular and the Fuchsia operating system for smart home gadgets such as Nest. Of course, Google is a major user of these projects too, so it has a keen interest in identifying vulnerabilities in them before any malicious hackers spot them.

Vulnerabilities are a big problem, Google explained in a blog post. It said there was a 650% increase in attacks targeting the open-source software supply chain last year, resulting in major incidents such as the Log4Shell vulnerability that was exploited by Iranian hackers. That’s why Google last year said it’s committing a hefty $10 billion toward initiatives that can advance cybersecurity.

The OSS VRP program announced today is a part of that commitment. It encourages researchers to go through its open-source software code with a fine-toothed comb and report any vulnerabilities they discover. Google said it will pay out rewards based on the severity of the vulnerability and the importance of the project, ranging from $100 all the way up to $31,337. Larger rewards will also be paid out to more “unusual or particularly interesting vulnerabilities,” so Google is encouraging researchers to get creative.

In addition to the rewards, users can also receive public recognition of their discoveries, if they desire. For those who want to donate their reward to charity, Google said it will match those contributions from its own cash pile.

Google explained that researchers should focus their efforts on the most up-to-date versions of the open-source software projects it leads, which can be found in the public repositories of Google’s GitHub page. The bug hunt also extends to third-party dependencies of those projects.

The most sensitive projects, according to Google, are Bazel, Angular, Golang, Protocol buffers and Fuchsia, so any vulnerabilities found in those projects will likely earn the finder a handsome reward. Google is also planning to expand this list to include other projects. With regard to the specific kinds of bugs it’s interested in, Google said it welcomes submissions of vulnerabilities that lead to supply chain compromise, design issues that lead to product vulnerabilities, and other issues around sensitive or leaked credentials, weak passwords and insecure installations.

“Bug hunts are a popular tool not only to improve the quality of software offerings, but also to increase the familiarity of developers while acting as an incentive for deeper interaction with the code,” said Holger Mueller of Constellation Research Inc. “Along these lines, it is good to see Google offering another bug hunt, labelled as the Open Source Software Vulnerability Program. All the parameters are attractive, developer communities are fickle, so we will see what the response will be like, and most importantly what defects and further adoption of the underlying platforms can be garnered.”

Besides the OSS VRP program, Google also pays out rewards for vulnerabilities discovered in Chrome, Android and various other areas. To date, it claims to have paid out more than $38 million in collective rewards, so there’s a lot of incentive to get hunting.

Image: JohnArtsz/Pixabay