Google expands bug bounty program to cover GitHub and other open source projects

Google is adding to its bounty program that pays for the discovery of application vulnerabilities.

On Tuesday the company launched the Open Source Software Vulnerability Rewards Program (OSS VRP) to reward discoveries of bugs in Google’s open source projects.

That covers all up-to-date versions of open source software (including repository configuration settings such as GitHub Actions) stored in the public repositories of Google-owned GitHub organizations (such as Google, GoogleAPIs, Google Cloud Platform, as well as projects that Google maintains, such as the Golang Go programming language, the Angular web developers platform and the Fuchsia operating system.

“The addition of this new program addresses the ever more prevalent reality of rising supply chain compromises,” Google said. “Last year saw a 650 per cent year-over-year increase in attacks targeting the open source supply chain, including headliner incidents like Codecov and the Log4j vulnerability that showed the destructive potential of a single open source vulnerability.

“Google’s OSS VRP is part of our US$10 billion commitment to improving cybersecurity, including securing the supply chain against these types of attacks for both Google’s users and open source consumers worldwide.”

The overall program includes rewards for finding vulnerabilities in Google products such as Chrome, Android, Pixel smartphones, the Google Nest line of smart home products, Fitbit smartwatches, certain apps in the Google Play store, and other areas. Over the past 12 years, this program has rewarded more than 13,000 submissions, with over US$38 million paid out.

The new program not only focuses on Google’s open source projects but also those projects’ third-party dependencies (with prior notification to the affected dependency required before submission to Google’s OSS VRP).

The top awards will go to vulnerabilities found in the most sensitive projects: Bazel, Angular, Golang, Protocol buffers, and Fuchsia. After the initial rollout that list will be expanded.

The program is looking for

  • vulnerabilities that lead to supply chain compromise;

  • design issues that cause product vulnerabilities;

  • other security issues such as sensitive or leaked credentials, weak passwords, or insecure installations.

Depending on the severity of the vulnerability and the project’s importance, rewards will range from US$100 to US$31,337. The larger amounts will also go to unusual or particularly interesting vulnerabilities, so creativity is encouraged.

See the program rules for more information.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Featured Article

ADaPT connects employers with highly skilled young workers

Help wanted. That’s what many tech companies across Canada are saying, and research shows that as the demand for skilled workers...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now