Tech giant Google will now pay security researchers to find and report bugs in the latest versions of Google-released open-source software (Google OSS).
The company’s newly announced Vulnerability Reward Program (VRP) focuses on Google software and repository settings (like GitHub actions, application configurations, and access control rules).
“The top awards will go to vulnerabilities found in the most sensitive projects: Bazel, Angular, Golang, Protocol buffers, and Fuchsia,” Google said today.
Based on the severity level of the reported flaws and the project’s importance, the final rewards range from $100 to $31,337.
The larger reward amounts will go to particularly interesting and unusual security vulnerabilities, with small bonuses of up to $1,000 also applying to the most interesting and clever bugs.
| Category | Flagship OSS projects | Standard OSS projects |
|---|---|---|
| Supply chain compromises | $3,133.7 – $31,337 | $1,337 – $13,337 |
| Product vulnerabilities | $500 – $7,500 | $101 – $3,133.7 |
| Other security issues | $1,000 | $500 |
“Before you start, please see the program rules for more information about out-of-scope projects and vulnerabilities, then get hacking and let us know what you find. If your submission is particularly unusual, we’ll reach out and work with you directly for triaging and response,” Google said.
“In addition to a reward, you can receive public recognition for your contribution. You can also opt to donate your reward to charity at double the original amount.”
