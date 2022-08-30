Google on Tuesday announced the launch of the Open Source Software Vulnerability Rewards Program (OSS VRP) to reward discoveries of vulnerabilities in its open source projects.

Through this program, Google will provide monetary rewards and public recognition to security researchers who find bugs that could potentially impact the entire open source ecosystem. The program is part of Google's $10B commitment to improving cybersecurity, including securing the supply chain against these types of attacks for both Google's users and open source consumers worldwide.

Google's Open Source Software Vulnerability Rewards Program covers all the latest versions of open source software stored in the public repositories of Google-owned GitHub organizations and selected repositories hosted on other platforms. Additionally, vulnerabilities in 3rd-party dependencies are in scope for this program.

The top awards will go to vulnerabilities found in the most sensitive projects: Bazel, Angular, Golang, Protocol buffers, and Fuchsia, the company said, adding that it plans to expand the list after the initial rollout. Depending on the severity of the vulnerability and the project's importance, rewards will range from $100 to $31,337.

"Google is proud to both support and be a part of the open source software community. Through our existing bug bounty programs, we've rewarded bug hunters from over 84 countries and look forward to increasing that number through this new VRP," Google said.

The new reward program is the latest to join Google's family of Vulnerability Reward Programs (VRPs). According to the company, collectively, these programs have rewarded more than 13,000 submissions, totaling over $38M paid.

More details about Google's Open Source Software Vulnerability Rewards Program can be found here.