Google attracting bounty hunters to open source projects

Google has added a bug bounty program focused on its open source projects.

The company’s open source projects include well-known software like the Go language, Angular web developer environment, and Fuchsia operating system, with confirmed bugs to earn their discoverers between US$100 (A$147) and US$31,337 (a hat-tip to calculator-speak for ‘eleet’).

Other high-profile projects currently in-scope for the bounty include the Bazel build system, and Protocol Buffers used to serialise structured data.

“After the initial rollout we plan to expand this list," Google’s open source security technical program manager Francis Perron and information security engineer Krzysztof Kotowicz wrote.

The pair said the main interests of the program as it now stands are “vulnerabilities that lead to supply chain compromise, design issues that cause product vulnerabilities, and other security issues such as sensitive or leaked credentials, weak passwords, or insecure installations”.

“Supply chain compromise” covers “the ability to compromise Google OSS source code, and build artifacts or packages distributed via package managers to users.”

Product vulnerabilities are straightforward issues like memory corruption, sanitisation failure, path traversal, bad defaults, or even insecure code examples in documentation.

There are other classes of bugs that will be recognised: sensitive credentials, weak passwords in third-party products, or install and usage instructions “that compromise the security of the developers working on the product”.

Google recognises the dependencies that underpin open source projects, so it makes third-party vulnerabilities explicitly within the scope of the program.

So long as a researcher notifies the maintainer of the third-party package, Google will accept a vulnerability if it can be triggered or exploited in a Google open source package; and is shared no earlier than 30 days after the upstream fix is available.

Third party “services or platforms”, however, are out of scope.

There are three project tiers covering flagship projects (Bazel, Angular, Golang, Protocol buffers and Fuscia); standard OSS projects; and low-priority OSS projects (these may be experimental, samples, small, or low-activity projects).