back to article Find a security hole in Google's open source and you could bag a $31,337 reward

Google has created a bug bounty program that will reward those who find and report vulnerabilities in its open-source projects, thereby hopefully strengthening software supply-chain security. The Open Source Software Vulnerability Rewards Program (OSS VRP) will pay bug hunters between $100 and $31,337 (eleet, elite ... geddit …

  1. Anonymous Coward
    Anonymous Coward


    This way, they hope to create the illusion they do something about security without spending actual money on employing some teams or companies to give projects the shakedown they actually need.

    There are just a few tiny but rapidly reproducing flies in that ointment: during a ransomware case I had to review last year I discovered that criminal gangs offer a LOT of money for inside and breach information (I should have guessed this but I never had cause to look into this before). Translated: someone who finds a decent crack in key code may not be selling it to Google for what is a rather measly payoff in the first place but may venture onto the criminal path instead. This is only going to get worse as it will take time to recover the currently crumbling economies worldwide.

    If Google would have organised a pool with other organisations that benefit from FOSS it would have at least created a better incentive.

    1. Charlie Clark Silver badge

      Re: Cheapskates

      You'd be right if this was all Google is doing: whatever rewards they offer can almost certainly be offset against tax so it's not even a cost.

      But Google does also devote its own resources to finding bugs with the Project Zero team and things like OSS Fuzz, which is certainly not cheap to run. A drop in the ocean? Maybe but certainly more than what many other companies are doing.

      1. badflorist Silver badge

        Re: Cheapskates

        "...more than what many other companies are doing."

        In violating privacy and twisting ethics?

        In 2022 it seems socially responsible to sell the bug to a black hat for some cash AND hurt Google at the same time. Realistically at some point people need to "do the right thing".

  2. Anonymous Coward
    Anonymous Coward


    "...between $100 and $31,337 (eleet, elite ... geddit?)"

    I'm glad our humble Reg hack pointed out that (bad) joke on our behalf.

    Whichever commentard would have posted it first would have been insufferable.

    Oh, wait...

  3. Anonymous Coward
    Anonymous Coward

    avoiding real work

    so goog is getting thousands of people to look at their code to fix it's own devs sloppy work, for pennies on the dollar compared to having it done right in the first place.

    Always going with the lowest bidder, always bites you in the ass.

    and since goog is the lowest bidder on it's own mistakes, like the others said - there are people that will pay a lot more to exploit them than goog will pay to fix them. Not a great situation for anyone but the criminals.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like