Google Expands Bug Bounties to Its Open Source Projects

The search engine giants Vulnerability Rewards Program now covers any Google open source software projects — with a focus on critical software such as Go and Angular.

Google plans to pay out cash rewards for information on vulnerabilities discovered in any of its open source projects as part of an ongoing effort to improve the security of open source code.
The new Open Source Software Vulnerability Rewards Program (OSS VRP), which extends Googles existing Vulnerability Rewards Program, was announced in a blog post published today.
Google will pay researchers up to $31,337 for information on vulnerabilities in open source software projects — particularly those managed by Google — that impact the firms software and services. Googles goal is to secure its own software supply chain, but because many non-Google developers use the companys open source software — such as the Go programming language and Angular Web framework — the initiative promises to help secure the wider open source ecosystem as well.
At first, Google will focus on the most widely used and critical projects, says Francis Perron, open source security technical program manager at Google.
We want to offer a high-quality bug-hunting experience, so we picked projects which had enough maturity in their response and their processes to test this program, he says. Broadening the scope will happen after we compile enough data internally, and make sure we can scale up without harming the projects, and the researchers.
Securing the software supply chain has become a major effort of technology firms and the policymakers. In January, the Biden administration
met with technology companies and open source organizations
to find ways to promote secure coding, find more vulnerabilities, and speed patching of open source projects.
Last year, Google
pledged to spend $10 billion
over five years, supporting efforts by the OpenSSF,
adding a cybersecurity advisory group
, and
bolstering its Invisible Security zero trust initiative
.
Governments and businesses are at a watershed moment in addressing cybersecurity, Kent Walker, president of global affairs for Google and its parent company Alphabet, said in the 2021 announcement of the companys $10 billion pledge. Cyberattacks are increasingly endangering valuable data and critical infrastructure. While we welcome increased measures to reinforce cybersecurity, governments and companies are both facing key challenges.
Over the past decade, Google has paid out more than $38 million in rewards to researchers who have submitted 13,000 vulnerabilities to the company, as part of its Vulnerability Rewards Program.
Google has already offered bounties for bugs in its Chrome browser and the Android mobile operating system, both of whose base code are managed as open source projects. The company paid out $2.9 million to 119 researchers for their reports of vulnerabilities in Android, with the highest reward hitting $157,000. Similarly, the company paid $3.3 million to 115 researchers for finding bugs in Chrome in 2021.
With its
Open Source Software Vulnerability Rewards Program (OSS VRP)
, Google is creating a standard framework to reward researchers who find issues in the open source software projects maintained by the company.
Google will allow submissions for [a]ll up-to-date versions of open source software (including repository settings) stored in the public repositories of Google-owned GitHub organizations, the company
stated in its blog post
. In addition, the company has focused on rewards for several critical projects, including the
Go programming language
, the
Angular Web framework
, and its nascent operating system for connected devices,
Fuchsia
.
The company currently asks for submissions of vulnerabilities that affect the supply chain, design issues that could result in vulnerabilities in Googles products, and security weaknesses such as compromised credentials, weak passwords, or insecure installation configurations. As part of its focus on the supply chain, the company will reward researchers who submit vulnerabilities to third-party open source projects on which Googles software depends.
This program focuses on Google-produced open source projects, and the proposed short list of flagship projects listed includes projects also driven by Google, says Googles Perron. The rules also include the Standard tier, which does incorporate a vast amount of projects.
The company plans to pay researchers anywhere from $100 to $31,337 — a special number because it spells out eleet, or elite, in hackerspeak — with the higher payouts going to more severe, or more creative, vulnerabilities.
With the additional bounty programs, some vulnerabilities rewards may overlap with other programs. Google pledged to work with researchers to submit their vulnerability reports to the right programs to maximize their payout, the company said.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Google Expands Bug Bounties to Its Open Source Projects