Google Launches Rewards Program for Open Source Software Bugs

Attacks on the open source supply chain rose by 650% last year. Now, Google's paying people to help stop future ones.
Adam Rowe

Want Google to give you $31,000? You just need to find the right software vulnerability, because the tech giant is launching a new rewards program for anyone who spots a bug in its major open-source software projects.

Since the new program is centered only on Google's major open source software projects, all the code is available for anyone to comb through. Granted, you'll need a lot of specialized knowledge to actually find any vulnerabilities.

Open source rewards like this are fairly rare, but Google's software in particular has been targeted by supply chain attackers in recent years.

So How Much Money Can You Make?

The program comes with a ceiling on how much you can earn by finding a flaw: Rewards are between $100 and $31,337. The worse the vulnerability, the higher the reward for bringing it to Google's attention.

The biggest rewards are reserved for the “most sensitive projects,” which are currently Bazel, Angular, Golang, Protocol buffers, and Fuchsia. Google says to check back, as they plan to add more once the initial rollout is over.

This type of program isn't new in programmer circles these days, although Google was among the first major companies to set one up 12 years ago: Also called a “bug bounty,” rewards programs like Google's help companies get far more eyes on a project.

Google must be happy with the results, as it has paid out over $38 million across 13,000 submissions since it first started offering the programs.

Why Open Source Software Is Important

The open source supply chain is an increasingly big target for attackers: In 2021, this specific type of attack jumped up 650% year-over-year.

The Log4j incident is one major example of why open source vulnerabilities are so bad. Just one opening can give a hacker the opportunity to extensive damage.

The smaller businesses can stay secure by using SSO and a good password manager, but Google takes security so seriously that the new rewards program is just one part of a $10 billion commitment the company is making towards keeping the supply chain safe.

Did you find this article helpful? Click on one of the following buttons
We're so happy you liked! Get more delivered to your inbox just like it.

We're sorry this article didn't help you today – we welcome feedback, so if there's any way you feel we could improve our content, please email us at contact@tech.co

Adam is a writer at Tech.co and has worked as a tech writer, blogger and copy editor for more than a decade. He's also a Forbes Contributor on the publishing industry, for which he was named a Digital Book World 2018 award finalist. His work has appeared in publications including Popular Mechanics and IDG Connect, and he has an art history book on 1970s sci-fi coming out from Abrams Books in 2022. In the meantime, he's hunting own the latest news on VPNs, POS systems, and the future of tech.

Explore More See all news
close Building a Website? We've tested and rated Wix as the best website builder you can choose – try it yourself for free Try Wix today