Google is generous when it comes to paying out security researchers who find bugs and vulnerabilities in its products. After all, it’s better to spend that money on mitigating problems rather than fixing them after a hack or attack has happened. Now Google is expanding its Vulnerability Rewards Program (VRP) to its open-source projects. As announced today, researchers can now submit bugs and vulnerabilities they find that can impact Google’s entire open-source ecosystem and get rewarded.

Google says that it has started this program due to hackers increasingly seeing open-source software used by companies as attack vendors. The company cites a study that has seen a 650% increase of attacks targeting open-source supply chains in 2021 compared to 2020. To make sure Google is less likely to be hit, it’s making its open-source projects part of its VRP. The program is then supposed to focus on:

  • All up-to-date versions of open source software (including repository settings) stored in the public repositories of Google-owned GitHub organizations;
  • Those projects’ third-party dependencies (with prior notification to the affected dependency required before submission to Google’s OSS VRP).

The highest prices will be paid out in Google’s most high-profile and sensitive projects, including Fuchsia, a new OS that is now powering some of the company’s excellent Assistant smart displays. Rewards will range from $100 to $31,337 depending on how severe an attack can potentially be.

If you’re interested in helping out Google, you need to be aware of the rules posted to the company’s Bug Hunters website. There are technical details on which vulnerabilities are eligible in the first place.

Google’s VRP is an integral part of the company’s security efforts. Over the years, the company has increased the total amount of money it spends on paying researchers, and it has last paid out $8.7 million in 2021. The bug program has been in existence for eleven years now.