Discovering and reporting bugs can be a lucrative hobby that even white hat hackers have successfully made a career out of them. You can get in on the action too by participating in bug bounty programs and in return receive recognition and financial rewards. Google, for instance, just launched a new vulnerability rewards program for open-source software.

What is the Google Open-Source Software Vulnerability Rewards Program?

Given how many organizations all over the world rely on it, open-source software needs to be kept secure. We’ve all seen the outcome when cybercriminals use exploits to take advantage of security flaws and vulnerabilities—data loss, hidden charges, compromised bank accounts, stolen cryptocurrencies, among others.

With the rising hacking incidents that use open-source software as attack vectors, Google took the initiative to expand its vulnerability rewards program to include open-source software.

Specifically, the OSS VRP is concerned with the latest versions of software stored at Google’s public repositories on GitHub and a few other platforms. Also, part of the program’s scope are the configuration settings of these repositories.

What bugs and issues can be reported as a vulnerability?

Google’s OSS VRP groups bugs and vulnerabilities into three main project tiers. In decreasing importance, these are the flagship OSS projects, standard OSS projects, and low-priority OSS projects. Flagship projects include the software automation tool Bazel, the programming language Golang, and the operating system Fuchsia.

Bugs are also classified into three categories, with supply chain compromises being most critical followed by product vulnerabilities and other security issues.


How much can you earn through the Vulnerability Rewards Program?

The amount of financial reward you can receive depends on the severity and classification of the bug. If you report a supply chain compromise in a flagship OSS project, for instance, you can be rewarded as much as $31,337. That’s about Php1.76 million in our local currency. The minimum reward is $100 (~Php5,600). Reported bugs for projects under the low-priority tier, including archived projects with no active development, are not compensated for.

If you’re not in it for the money, you can opt to have your reward be donated to a charity of your choice. There’s also the public recognition (if you choose to be credited for the report) and the experience of bug hunting that can be useful for some jobseekers.

Due to sanctions and legal issues, residents from a number of countries (such as Cuba and North Korea) aren’t eligible to receive rewards. Employees of Google and affiliated companies are also exempt from rewards.

For reference, Google gave away $8.7 million to bug bounty hunters last year.

CategoryFlagship OSS
Standard OSS
Low-priority OSS
Supply chain
$3,134 to $31,337$1,336 to $13,334
Product vulnerabilities$500 to $7,500$101 to $3,134
Other security issues$1,000$500

How do you report a vulnerability and security bug to Google?

To submit a report, visit the Google product form page specifically for VRP. You’ll need to create and sign in with a bounty hunter profile, then fill up the necessary information as you go through five steps. You’ll be asked to describe the bug, where it is located, the problems resulting from it, and the products or websites affected. One of the steps include providing technical details, such as the procedure to replicate the bug, proof-of-concept exploits, and crash dumps.

After submitting your bug report, you’ll receive confirmation of receipt via email. Within the next 14 days, someone from Google will check the validity of your report and possibly contact you for further details. They will also determine the severity of the bug. If the report is successful, you’ll be contacted regarding the reward.

To learn more about the OSS VRP, visit Google’s official Bug Hunters page.

Leave a comment

Your email address will not be published. Required fields are marked *