Google has added a bug bounty program focused on its open source projects.
The company’s open source projects include software known as the Go language, the Angular web development environment, and the Fuchsia operating system, with bugs confirmed to earn between US$100 (A$147) and US$31,337 (A$31,337) for their discoverers. a hat tip for a calculator- speaks for ‘eleet’).
Other high-profile projects currently in scope for the bounty include the Bazel build system and protocol buffers used to serialize structured data.
“After the initial release, we plan to expand this list,” Google Open Source Security Technical Program Manager Francis Perron and Information Security Engineer Krzysztof Kotowicz wrote.
The pair said the main concerns of the program as it stands now are “vulnerabilities that lead to supply chain compromise, design issues that cause product vulnerabilities, and other security issues such as sensitive or leaked credentials, weak passwords, or installations.” insecure.”
“Supply chain compromise” covers “the ability to compromise Google OSS source code and create artifacts or packages distributed via package managers to users.”
Product vulnerabilities are simple issues like memory corruption, sanitization failure, path traversal, incorrect default values, or even insecure code examples in the documentation.
There are other kinds of errors that will be recognized: sensitive credentials, weak passwords on third-party products, or installation and usage instructions “that compromise the security of the developers working on the product.”
Google recognizes the dependencies that underpin open source projects, so it makes third-party vulnerabilities explicitly in scope for the program.
As long as a researcher notifies the third party package maintainer, Google will accept a vulnerability if it can be enabled or exploited in a Google open source package; and is shared no earlier than 30 days after the availability of the original solution.
However, third party “services or platforms” are out of scope.
There are three project levels that cover flagship projects (Bazel, Angular, Golang, Protocol buffers, and Fuscia); OSS standard projects; and low-priority OSS projects (these may be pilot, sample, small, or low-activity projects).