{"id":13568,"date":"2022-08-31T14:38:25","date_gmt":"2022-08-31T14:38:25","guid":{"rendered":"https:\/\/scienceandnerds.com\/2022\/08\/31\/googles-open-source-bug-bounty-aims-to-clamp-down-on-supply-chain-attacks\/"},"modified":"2022-08-31T14:38:26","modified_gmt":"2022-08-31T14:38:26","slug":"googles-open-source-bug-bounty-aims-to-clamp-down-on-supply-chain-attacks","status":"publish","type":"post","link":"https:\/\/scienceandnerds.com\/2022\/08\/31\/googles-open-source-bug-bounty-aims-to-clamp-down-on-supply-chain-attacks\/","title":{"rendered":"Google\u2019s open-source bug bounty aims to clamp down on supply chain attacks"},"content":{"rendered":"<p>Source: <a href=\"https:\/\/www.theverge.com\/2022\/8\/30\/23328977\/google-open-source-bug-bounty-supply-chain-hacks-dependencies\">https:\/\/www.theverge.com\/2022\/8\/30\/23328977\/google-open-source-bug-bounty-supply-chain-hacks-dependencies<\/a><br \/>\n<code><br \/><\/br><\/code><\/p>\n<div readability=\"77.79101302845\">\n<p id=\"twDxLn\">Google has <a href=\"https:\/\/security.googleblog.com\/2023\/08\/Announcing-Googles-Open-Source-Software-Vulnerability-Rewards-Program%20.html\">introduced a new vulnerability rewards program<\/a> to pay researchers who find security flaws in its open-source software or in the building blocks that its software is built on. It\u2019ll pay anywhere from $101 to $31,337 for information about bugs in projects like Angular, GoLang, and Fuchsia or for vulnerabilities in the third-party dependencies that are included in those projects\u2019 codebases.<\/p>\n<p id=\"nujeow\">While it\u2019s important for Google to fix bugs in its own projects (and in the software that it uses to keep track of changes to its code, which the program also covers), perhaps the most interesting part is the bit about third-party dependencies. Programmers often use code from open-source projects so they don\u2019t continuously have to reinvent the same wheel. But since developers often directly import that code, as well as any updates to it, that introduces the possibility of supply chain attacks. That\u2019s when hackers don\u2019t target the code directly controlled by Google itself but go after these third-party dependencies instead.<\/p>\n<div class=\"c-float-right\">\n<aside id=\"84lqED\"><q>Open-source libraries can sometimes be used as a trojan horse into bigger projects<\/q><\/aside>\n<\/div>\n<p id=\"Q8WR47\">As <a href=\"https:\/\/www.theverge.com\/2021\/1\/26\/22248631\/solarwinds-hack-cybersecurity-us-menn-decoder-podcast\">SolarWinds showed<\/a>, this type of attack isn\u2019t limited to open-source projects. But in the <a href=\"https:\/\/www.theverge.com\/2014\/4\/8\/5594266\/how-heartbleed-broke-the-internet\">past few years<\/a>, we\u2019ve seen <a href=\"https:\/\/www.theverge.com\/2021\/2\/10\/22276857\/security-researcher-repository-exploit-apple-microsoft-vulnerability\">several<\/a> <a href=\"https:\/\/www.theverge.com\/2022\/1\/9\/22874949\/developer-corrupts-open-source-libraries-projects-affected\">stories<\/a> where big companies have had their security put at risk thanks to dependencies. There are ways to mitigate this sort of attack vector \u2014 Google itself has begun <a href=\"https:\/\/www.theverge.com\/2022\/5\/17\/23097529\/google-assured-open-source-software-security-vetted-libraries\">vetting and distributing a subset of popular open-source programs<\/a>, but it\u2019s almost impossible to check over all the code a project uses. Incentivizing the community to check through dependencies and first-party code helps Google cast a wider net.<\/p>\n<p id=\"NPR8Yz\">According to <a href=\"https:\/\/bughunters.google.com\/about\/rules\/6521337925468160\/google-open-source-software-vulnerability-reward-program-rules\">Google\u2019s rules<\/a>, payouts from the Open Source Software Vulnerability Rewards Program will depend on the severity of the bug, as well as the importance of the project it was found in (Fuchsia and the like are considered \u201cflagship\u201d projects and thus have the biggest payouts). There are also some additional rules around bounties for supply chain vulnerabilities \u2014 researchers will have to inform whoever\u2019s actually in charge of the third-party project first before telling Google. They also have to prove that the issue affects Google\u2019s project; if there\u2019s a bug in a part of the library the company\u2019s not using, it won\u2019t be eligible for the program. <\/p>\n<div class=\"c-float-right\">\n<aside id=\"1n6WMO\"><q>\u201cResearchers can now be rewarded for finding bugs that could potentially impact the entire open source ecosystem.\u201d<\/q><\/aside>\n<\/div>\n<p id=\"oVcwKI\">Google also says that it doesn\u2019t want people poking around at third-party services or platforms it uses for its open-source projects. If you find an issue with how its GitHub repository is configured, that\u2019s fine; if you find an issue with GitHub\u2019s login system, that\u2019s not covered. (Google says it can\u2019t authorize people to \u201cconduct security research of assets that belong to other users and companies on their behalf.\u201d) <\/p>\n<p id=\"so9pQv\">For researchers who aren\u2019t motivated by money, Google offers to donate their rewards to a charity picked by the researcher \u2014 the company even says it\u2019ll double those donations. <\/p>\n<p id=\"nDF1MJ\">Obviously, this isn\u2019t Google\u2019s first crack at a bug bounty \u2014 it had some form of vulnerability reward program for <a href=\"https:\/\/twitter.com\/GoogleVRP\/status\/1420006557329367040\">over a decade<\/a>. But it\u2019s good to see that the company\u2019s taking action on a problem that it\u2019s been raising the alarm about. Earlier this year, in the wake of the <a href=\"https:\/\/www.theverge.com\/2021\/12\/10\/22828303\/log4j-library-vulnerability-log4shell-zero-day-exploit\">Log4Shell exploit<\/a> found in the popular open-source Log4j library, Google <a href=\"https:\/\/www.theverge.com\/2022\/1\/13\/22882176\/google-government-action-protect-open-source-software-funding-security\">said the US government<\/a> needs to be more involved in finding and dealing with security issues in critical open-source projects. Since then, <a href=\"https:\/\/www.bleepingcomputer.com\/news\/google\/google-launches-open-source-software-bug-bounty-program\/\">as <em>BleepingComputer<\/em> notes<\/a>, the company has <a href=\"https:\/\/security.googleblog.com\/2022\/02\/roses-are-red-violets-are-blue-giving.html\">temporarily bumped up payouts<\/a> for people who find bugs in certain open-source projects like Kubernetes and the Linux kernel. <\/p>\n<\/div>\n<p><code><br \/><\/br><\/code><\/p>\n<p>Source: <a href=\"https:\/\/www.theverge.com\/2022\/8\/30\/23328977\/google-open-source-bug-bounty-supply-chain-hacks-dependencies\">https:\/\/www.theverge.com\/2022\/8\/30\/23328977\/google-open-source-bug-bounty-supply-chain-hacks-dependencies<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Source: Google has introduced a new vulnerability rewards program to pay researchers who find security flaws in its open-source software or in the building blocks that its software is built on. It\u2019ll pay anywhere from $101 to $31,337 for information about bugs in projects like Angular, GoLang, and Fuchsia or for vulnerabilities in the third-party [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":13569,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"nf_dc_page":"","om_disable_all_campaigns":false,"pagelayer_contact_templates":[],"_pagelayer_content":"","_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[21,8],"tags":[10],"class_list":["post-13568","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-google","category-technology","tag-google"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v23.7 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Google\u2019s open-source bug bounty aims to clamp down on supply chain attacks - Science and Nerds<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/scienceandnerds.com\/2022\/08\/31\/googles-open-source-bug-bounty-aims-to-clamp-down-on-supply-chain-attacks\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Google\u2019s open-source bug bounty aims to clamp down on supply chain attacks - Science and Nerds\" \/>\n<meta property=\"og:description\" content=\"Source: Google has introduced a new vulnerability rewards program to pay researchers who find security flaws in its open-source software or in the building blocks that its software is built on. It\u2019ll pay anywhere from $101 to $31,337 for information about bugs in projects like Angular, GoLang, and Fuchsia or for vulnerabilities in the third-party [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/scienceandnerds.com\/2022\/08\/31\/googles-open-source-bug-bounty-aims-to-clamp-down-on-supply-chain-attacks\/\" \/>\n<meta property=\"og:site_name\" content=\"Science and Nerds\" \/>\n<meta property=\"article:published_time\" content=\"2022-08-31T14:38:25+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2022-08-31T14:38:26+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/scienceandnerds.com\/wp-content\/uploads\/2022\/08\/googles-open-source-bug-bounty-aims-to-clamp-down-on-supply-chain-attacks_630f7261906e8.jpeg\" \/>\n\t<meta property=\"og:image:width\" content=\"1200\" \/>\n\t<meta property=\"og:image:height\" content=\"628\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"admin\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"admin\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/scienceandnerds.com\/2022\/08\/31\/googles-open-source-bug-bounty-aims-to-clamp-down-on-supply-chain-attacks\/\",\"url\":\"https:\/\/scienceandnerds.com\/2022\/08\/31\/googles-open-source-bug-bounty-aims-to-clamp-down-on-supply-chain-attacks\/\",\"name\":\"Google\u2019s open-source bug bounty aims to clamp down on supply chain attacks - Science and Nerds\",\"isPartOf\":{\"@id\":\"https:\/\/scienceandnerds.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/scienceandnerds.com\/2022\/08\/31\/googles-open-source-bug-bounty-aims-to-clamp-down-on-supply-chain-attacks\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/scienceandnerds.com\/2022\/08\/31\/googles-open-source-bug-bounty-aims-to-clamp-down-on-supply-chain-attacks\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/i0.wp.com\/scienceandnerds.com\/wp-content\/uploads\/2022\/08\/googles-open-source-bug-bounty-aims-to-clamp-down-on-supply-chain-attacks_630f7261906e8.jpeg?fit=1200%2C628&ssl=1\",\"datePublished\":\"2022-08-31T14:38:25+00:00\",\"dateModified\":\"2022-08-31T14:38:26+00:00\",\"author\":{\"@id\":\"https:\/\/scienceandnerds.com\/#\/schema\/person\/ea2991abeb2b9ab04b32790dff28360e\"},\"breadcrumb\":{\"@id\":\"https:\/\/scienceandnerds.com\/2022\/08\/31\/googles-open-source-bug-bounty-aims-to-clamp-down-on-supply-chain-attacks\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/scienceandnerds.com\/2022\/08\/31\/googles-open-source-bug-bounty-aims-to-clamp-down-on-supply-chain-attacks\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/scienceandnerds.com\/2022\/08\/31\/googles-open-source-bug-bounty-aims-to-clamp-down-on-supply-chain-attacks\/#primaryimage\",\"url\":\"https:\/\/i0.wp.com\/scienceandnerds.com\/wp-content\/uploads\/2022\/08\/googles-open-source-bug-bounty-aims-to-clamp-down-on-supply-chain-attacks_630f7261906e8.jpeg?fit=1200%2C628&ssl=1\",\"contentUrl\":\"https:\/\/i0.wp.com\/scienceandnerds.com\/wp-content\/uploads\/2022\/08\/googles-open-source-bug-bounty-aims-to-clamp-down-on-supply-chain-attacks_630f7261906e8.jpeg?fit=1200%2C628&ssl=1\",\"width\":1200,\"height\":628},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/scienceandnerds.com\/2022\/08\/31\/googles-open-source-bug-bounty-aims-to-clamp-down-on-supply-chain-attacks\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/scienceandnerds.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Google\u2019s open-source bug bounty aims to clamp down on supply chain attacks\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/scienceandnerds.com\/#website\",\"url\":\"https:\/\/scienceandnerds.com\/\",\"name\":\"Science and Nerds\",\"description\":\"My WordPress Blog\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/scienceandnerds.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/scienceandnerds.com\/#\/schema\/person\/ea2991abeb2b9ab04b32790dff28360e\",\"name\":\"admin\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/scienceandnerds.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/7e6e14fc6691445ef2b2c0a3a6c43882?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/7e6e14fc6691445ef2b2c0a3a6c43882?s=96&d=mm&r=g\",\"caption\":\"admin\"},\"sameAs\":[\"https:\/\/scienceandnerds.com\"],\"url\":\"https:\/\/scienceandnerds.com\/author\/admin\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Google\u2019s open-source bug bounty aims to clamp down on supply chain attacks - Science and Nerds","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/scienceandnerds.com\/2022\/08\/31\/googles-open-source-bug-bounty-aims-to-clamp-down-on-supply-chain-attacks\/","og_locale":"en_US","og_type":"article","og_title":"Google\u2019s open-source bug bounty aims to clamp down on supply chain attacks - Science and Nerds","og_description":"Source: Google has introduced a new vulnerability rewards program to pay researchers who find security flaws in its open-source software or in the building blocks that its software is built on. It\u2019ll pay anywhere from $101 to $31,337 for information about bugs in projects like Angular, GoLang, and Fuchsia or for vulnerabilities in the third-party [&hellip;]","og_url":"https:\/\/scienceandnerds.com\/2022\/08\/31\/googles-open-source-bug-bounty-aims-to-clamp-down-on-supply-chain-attacks\/","og_site_name":"Science and Nerds","article_published_time":"2022-08-31T14:38:25+00:00","article_modified_time":"2022-08-31T14:38:26+00:00","og_image":[{"width":1200,"height":628,"url":"https:\/\/scienceandnerds.com\/wp-content\/uploads\/2022\/08\/googles-open-source-bug-bounty-aims-to-clamp-down-on-supply-chain-attacks_630f7261906e8.jpeg","type":"image\/jpeg"}],"author":"admin","twitter_card":"summary_large_image","twitter_misc":{"Written by":"admin","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/scienceandnerds.com\/2022\/08\/31\/googles-open-source-bug-bounty-aims-to-clamp-down-on-supply-chain-attacks\/","url":"https:\/\/scienceandnerds.com\/2022\/08\/31\/googles-open-source-bug-bounty-aims-to-clamp-down-on-supply-chain-attacks\/","name":"Google\u2019s open-source bug bounty aims to clamp down on supply chain attacks - Science and Nerds","isPartOf":{"@id":"https:\/\/scienceandnerds.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/scienceandnerds.com\/2022\/08\/31\/googles-open-source-bug-bounty-aims-to-clamp-down-on-supply-chain-attacks\/#primaryimage"},"image":{"@id":"https:\/\/scienceandnerds.com\/2022\/08\/31\/googles-open-source-bug-bounty-aims-to-clamp-down-on-supply-chain-attacks\/#primaryimage"},"thumbnailUrl":"https:\/\/i0.wp.com\/scienceandnerds.com\/wp-content\/uploads\/2022\/08\/googles-open-source-bug-bounty-aims-to-clamp-down-on-supply-chain-attacks_630f7261906e8.jpeg?fit=1200%2C628&ssl=1","datePublished":"2022-08-31T14:38:25+00:00","dateModified":"2022-08-31T14:38:26+00:00","author":{"@id":"https:\/\/scienceandnerds.com\/#\/schema\/person\/ea2991abeb2b9ab04b32790dff28360e"},"breadcrumb":{"@id":"https:\/\/scienceandnerds.com\/2022\/08\/31\/googles-open-source-bug-bounty-aims-to-clamp-down-on-supply-chain-attacks\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/scienceandnerds.com\/2022\/08\/31\/googles-open-source-bug-bounty-aims-to-clamp-down-on-supply-chain-attacks\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/scienceandnerds.com\/2022\/08\/31\/googles-open-source-bug-bounty-aims-to-clamp-down-on-supply-chain-attacks\/#primaryimage","url":"https:\/\/i0.wp.com\/scienceandnerds.com\/wp-content\/uploads\/2022\/08\/googles-open-source-bug-bounty-aims-to-clamp-down-on-supply-chain-attacks_630f7261906e8.jpeg?fit=1200%2C628&ssl=1","contentUrl":"https:\/\/i0.wp.com\/scienceandnerds.com\/wp-content\/uploads\/2022\/08\/googles-open-source-bug-bounty-aims-to-clamp-down-on-supply-chain-attacks_630f7261906e8.jpeg?fit=1200%2C628&ssl=1","width":1200,"height":628},{"@type":"BreadcrumbList","@id":"https:\/\/scienceandnerds.com\/2022\/08\/31\/googles-open-source-bug-bounty-aims-to-clamp-down-on-supply-chain-attacks\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/scienceandnerds.com\/"},{"@type":"ListItem","position":2,"name":"Google\u2019s open-source bug bounty aims to clamp down on supply chain attacks"}]},{"@type":"WebSite","@id":"https:\/\/scienceandnerds.com\/#website","url":"https:\/\/scienceandnerds.com\/","name":"Science and Nerds","description":"My WordPress Blog","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/scienceandnerds.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/scienceandnerds.com\/#\/schema\/person\/ea2991abeb2b9ab04b32790dff28360e","name":"admin","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/scienceandnerds.com\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/7e6e14fc6691445ef2b2c0a3a6c43882?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/7e6e14fc6691445ef2b2c0a3a6c43882?s=96&d=mm&r=g","caption":"admin"},"sameAs":["https:\/\/scienceandnerds.com"],"url":"https:\/\/scienceandnerds.com\/author\/admin\/"}]}},"jetpack_sharing_enabled":true,"jetpack_featured_media_url":"https:\/\/i0.wp.com\/scienceandnerds.com\/wp-content\/uploads\/2022\/08\/googles-open-source-bug-bounty-aims-to-clamp-down-on-supply-chain-attacks_630f7261906e8.jpeg?fit=1200%2C628&ssl=1","_links":{"self":[{"href":"https:\/\/scienceandnerds.com\/wp-json\/wp\/v2\/posts\/13568"}],"collection":[{"href":"https:\/\/scienceandnerds.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/scienceandnerds.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/scienceandnerds.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/scienceandnerds.com\/wp-json\/wp\/v2\/comments?post=13568"}],"version-history":[{"count":1,"href":"https:\/\/scienceandnerds.com\/wp-json\/wp\/v2\/posts\/13568\/revisions"}],"predecessor-version":[{"id":13570,"href":"https:\/\/scienceandnerds.com\/wp-json\/wp\/v2\/posts\/13568\/revisions\/13570"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/scienceandnerds.com\/wp-json\/wp\/v2\/media\/13569"}],"wp:attachment":[{"href":"https:\/\/scienceandnerds.com\/wp-json\/wp\/v2\/media?parent=13568"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/scienceandnerds.com\/wp-json\/wp\/v2\/categories?post=13568"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/scienceandnerds.com\/wp-json\/wp\/v2\/tags?post=13568"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}