Supply Chain Attacks Targeted by New Open Source Bug Bounty
Published on Sep 01, 2022
A new bug bounty program was introduced by Google on Monday, offering payouts ranging from £86.32 to £27050.88 (a reference to element or leaf).
Open Source Software Vulnerability Rewards Program (OSS VRP) is one of the first open source-specific vulnerability programs.
The program aims to reward vulnerabilities discovered by the tech giant, which maintains Angular, Bazel, Golang, Protocol Buffers, and Fuchsia projects.
Projects managed by Google and hosted on public repositories, such as GitHub and their third-party dependencies, are also eligible.
Bug hunters should submit submissions that meet the following criteria –
Supply chain vulnerabilities that compromise the supply chain
Vulnerabilities caused by design issues
Other security issues such as leaked credentials, weak passwords, or insecure installations
Since a steady escalation in supply chain attacks targeting Maven, NPM, PyPI, and RubyGems, beefing up open source components, especially third-party libraries, has emerged as a top priority.
As one example, the Log4Shell vulnerability in the Log4j Java logging library, discovered in December 2021, caused widespread havoc and became a clarion call for improving the state of software supply chains.
In 2017, there was a 650% increase in attacks on the open source supply chain, including headliner incidents such as Codecov and Log4j, which demonstrated the destructive power of a single open source vulnerability,” said Google’s Francis Perron and Krzysztof Kotowicz.
A similar reward program was instituted by Google last November for uncovering privilege escalation, and Kubernetes escape exploits. The maximum amount has since been raised to £78,844 until the end of 2022 from £43452.
As part of its efforts to strengthen the security of critical open source projects, Google also announced the creation of a new “Open Source Maintenance Crew” earlier this May.
Malware updates for macOS Monterey with Python 3
With XCSSET macOS malware, the operators have added support for macOS Monterey by upgrading its source code components to Python 3…
Top programmable languages for 2022
IEEE Spectrum, the official publication of the IEEE, has published its ninth annual ranking of the best programming languages Despite Python’s dominance, C…