Google’s open-source bug bounty aims to clamp down on supply chain attacks
by Mitchell Clark from The Verge - All Posts on (#632Q4)
An important and sometimes overlooked part of security | Photo by Amelia Holowaty Krales / The Verge
Google has introduced a new vulnerability rewards program to pay researchers who find security flaws in its open-source software or in the building blocks that its software is built on. It'll pay anywhere from $101 to $31,337 for information about bugs in projects like Angular, GoLang, and Fuchsia or for vulnerabilities in the third-party dependencies that are included in those projects' codebases.
While it's important for Google to fix bugs in its own projects (and in the software that it uses to keep track of changes to its code, which the program also covers), perhaps the most interesting part is the bit about third-party dependencies. Programmers often use code from open-source projects so they don't continuously have to reinvent the...