Supply Chain Attacks Targeted by New Open Source Bug Bounty

Published on Sep 01, 2022

A new bug bounty program was introduced by Google on Monday, offering payouts ranging from £86.32 to £27050.88 (a reference to element or leaf).

Open Source Software Vulnerability Rewards Program (OSS VRP) is one of the first open source-specific vulnerability programs.

The program aims to reward vulnerabilities discovered by the tech giant, which maintains Angular, Bazel, Golang, Protocol Buffers, and Fuchsia projects.

Projects managed by Google and hosted on public repositories, such as GitHub and their third-party dependencies, are also eligible.

Bug hunters should submit submissions that meet the following criteria –

• Supply chain vulnerabilities that compromise the supply chain
• Vulnerabilities caused by design issues
• Other security issues such as leaked credentials, weak passwords, or insecure installations

Since a steady escalation in supply chain attacks targeting Maven, NPM, PyPI, and RubyGems, beefing up open source components, especially third-party libraries, has emerged as a top priority.

As one example, the Log4Shell vulnerability in the Log4j Java logging library, discovered in December 2021, caused widespread havoc and became a clarion call for improving the state of software supply chains.

In 2017, there was a 650% increase in attacks on the open source supply chain, including headliner incidents such as Codecov and Log4j, which demonstrated the destructive power of a single open source vulnerability,” said Google’s Francis Perron and Krzysztof Kotowicz.

A similar reward program was instituted by Google last November for uncovering privilege escalation, and Kubernetes escape exploits. The maximum amount has since been raised to £78,844 until the end of 2022 from £43452.

As part of its efforts to strengthen the security of critical open source projects, Google also announced the creation of a new “Open Source Maintenance Crew” earlier this May.