Want Google to give you $31,000? You just need to find the right software vulnerability, because the tech giant is launching a new rewards program for anyone who spots a bug in its major open-source software projects.
Since the new program is centered only on Google's major open source software projects, all the code is available for anyone to comb through. Granted, you'll need a lot of specialized knowledge to actually find any vulnerabilities.
Open source rewards like this are fairly rare, but Google's software in particular has been targeted by supply chain attackers in recent years.
So How Much Money Can You Make?
The program comes with a ceiling on how much you can earn by finding a flaw: Rewards are between $100 and $31,337. The worse the vulnerability, the higher the reward for bringing it to Google's attention.
The biggest rewards are reserved for the “most sensitive projects,” which are currently Bazel, Angular, Golang, Protocol buffers, and Fuchsia. Google says to check back, as they plan to add more once the initial rollout is over.
This type of program isn't new in programmer circles these days, although Google was among the first major companies to set one up 12 years ago: Also called a “bug bounty,” rewards programs like Google's help companies get far more eyes on a project.
Google must be happy with the results, as it has paid out over $38 million across 13,000 submissions since it first started offering the programs.
Why Open Source Software Is Important
The open source supply chain is an increasingly big target for attackers: In 2021, this specific type of attack jumped up 650% year-over-year.
The Log4j incident is one major example of why open source vulnerabilities are so bad. Just one opening can give a hacker the opportunity to extensive damage.
The smaller businesses can stay secure by using SSO and a good password manager, but Google takes security so seriously that the new rewards program is just one part of a $10 billion commitment the company is making towards keeping the supply chain safe.