Shulou(Shulou.com)11/24 Report--

CTOnews.com August 31 news, Google as early as 2010 launched the vulnerability reward program (VRP). As the name suggests, it encourages researchers and cybersecurity experts to detect security problems and vulnerabilities and then report them privately to vendors. After reporting, these errors will be fixed by the company, and those who discover the problem will be rewarded with money. Over the past few years, Google has been working to unify the platform and expand it to more platforms. Now Google has announced another expansion, this time in the open source software (OSS) space.

Google emphasizes that it is one of the largest contributors and maintainers of OSS, with projects such as Golang, Angular and Fuchsia, and understands the need to protect this space. Therefore, its OSS VRP program also aims to encourage dedicated efforts in this regard.

OSS VRP focuses on any OSS code under Google's portfolio. CTOnews.com understands that this includes not only items it maintains, but also any OSS dependencies maintained by other vendors. The two types of OSS covered by this VRP are defined as follows:

All the latest versions of open source software stored in Google-owned public repositories organized by GitHub (including repository settings)

Third-party dependencies of these projects (affected dependencies need to be notified prior to submission to Google's OSS VRP)

The types of submissions Google currently accepts include vendor vulnerabilities, design flaws, and general security issues such as weak or compromised credentials, or insecure deployments. Rewards start at $100 and can go up to $31337, capped at more sensitive items such as Bazel, Angular, Golang, Protocol buffers and Fuchsia.

Google hopes this community-driven collaborative effort will help improve OSS security. The plan is part of a $10 billion cybersecurity investment Google announced a year ago after meeting with the U.S. president. Back in April, Google pledged to support the Open Source Security Foundation's (OpenSSF) package analysis project to detect malicious open source packages.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.