Google plans to pay out cash rewards for information on vulnerabilities discovered in any of its open source projects as part of an ongoing effort to improve the security of open source code.

The new Open Source Software Vulnerability Rewards Program (OSS VRP), which extends Google's existing Vulnerability Rewards Program, was announced in a blog post published today.

Google will pay researchers up to $31,337 for information on vulnerabilities in open source software projects — particularly those managed by Google — that impact the firm's software and services. Google's goal is to secure its own software supply chain, but because many non-Google developers use the company's open source software — such as the Go programming language and Angular Web framework — the initiative promises to help secure the wider open source ecosystem as well.

At first, Google will focus on the most widely used and critical projects, says Francis Perron, open source security technical program manager at Google.

"We want to offer a high-quality bug-hunting experience, so we picked projects which had enough maturity in their response and their processes to test this program," he says. "Broadening the scope will happen after we compile enough data internally, and make sure we can scale up without harming the projects, and the researchers."

Supply Chain Security Challenges

Securing the software supply chain has become a major effort of technology firms and the policymakers. In January, the Biden administration met with technology companies and open source organizations to find ways to promote secure coding, find more vulnerabilities, and speed patching of open source projects.

Last year, Google pledged to spend $10 billion over five years, supporting efforts by the OpenSSF, adding a cybersecurity advisory group, and bolstering its Invisible Security zero trust initiative.

"Governments and businesses are at a watershed moment in addressing cybersecurity," Kent Walker, president of global affairs for Google and its parent company Alphabet, said in the 2021 announcement of the company's $10 billion pledge. "Cyberattacks are increasingly endangering valuable data and critical infrastructure. While we welcome increased measures to reinforce cybersecurity, governments and companies are both facing key challenges."

Over the past decade, Google has paid out more than $38 million in rewards to researchers who have submitted 13,000 vulnerabilities to the company, as part of its Vulnerability Rewards Program. 

Google has already offered bounties for bugs in its Chrome browser and the Android mobile operating system, both of whose base code are managed as open source projects. The company paid out $2.9 million to 119 researchers for their reports of vulnerabilities in Android, with the highest reward hitting $157,000. Similarly, the company paid $3.3 million to 115 researchers for finding bugs in Chrome in 2021.

Paying for "Eleet" Bug Finds

With its Open Source Software Vulnerability Rewards Program (OSS VRP), Google is creating a standard framework to reward researchers who find issues in the open source software projects maintained by the company.

Google will allow submissions for "[a]ll up-to-date versions of open source software (including repository settings) stored in the public repositories of Google-owned GitHub organizations," the company stated in its blog post. In addition, the company has focused on rewards for several critical projects, including the Go programming language, the Angular Web framework, and its nascent operating system for connected devices, Fuchsia.

The company currently asks for submissions of vulnerabilities that affect the supply chain, design issues that could result in vulnerabilities in Google's products, and security weaknesses such as compromised credentials, weak passwords, or insecure installation configurations. As part of its focus on the supply chain, the company will reward researchers who submit vulnerabilities to third-party open source projects on which Google's software depends.

"This program focuses on Google-produced open source projects, and the proposed short list of flagship projects listed includes projects also driven by Google," says Google's Perron. "The rules also include the 'Standard' tier, which does incorporate a vast amount of projects."

The company plans to pay researchers anywhere from $100 to $31,337 — a special number because it spells out "eleet," or elite, in hackerspeak — with the higher payouts going to more severe, or more creative, vulnerabilities.

With the additional bounty programs, some vulnerabilities rewards may overlap with other programs. Google pledged to work with researchers to submit their vulnerability reports to the right programs to maximize their payout, the company said.