Google is tackling supply chain cybersecurity attacks with a new bug bounty program.
Supply chain attacks involve hackers compromising the source code or service used by a range of industries and companies rather than targeting each individual organization. As a result, a single successful supply chain attack can compromise hundreds or even thousands of organizations using the service or product.
WIih supply chain attacks growing in popularity, Google is looking to address the problem with a bug bounty program. Bug bounties refer to the payouts paid to professional hackers and security experts, also known as “white hats,” who find bugs and report them to companies so they can fix them before bad actors exploit them.
Google posted the new bug bounty program in a blog post:
Today, we are launching Google’s Open Source Software Vulnerability Rewards Program (OSS VRP) to reward discoveries of vulnerabilities in Google’s open source projects. As the maintainer of major projects such as Golang, Angular, and Fuchsia, Google is among the largest contributors and users of open source in the world.
Google made it clear that the goal of the new program was to help secure open source software supply chains.
The addition of this new program addresses the ever more prevalent reality of rising supply chain compromises. Last year saw a 650% year-over-year increase in attacks targeting the open source supply chain, including headliner incidents like Codecov and the Log4j vulnerability that showed the destructive potential of a single open source vulnerability. Google’s OSS VRP is part of our $10B commitment to improving cybersecurity, including securing the supply chain against these types of attacks for both Google’s users and open source consumers worldwide.
Google says payouts will range from $100 to $31,337, depending on the severity and importance of the bug, as well as whether it is particularly interesting or unusual.