Google Launches New Open Source Bug Bounty to Tackle Supply Chain Attacks:
Google on Monday introduced a new bug bounty program for its open source projects, offering payouts anywhere from $100 to $31,337 (a reference to eleet or leet) to secure the ecosystem from supply chain attacks.
Called the Open Source Software Vulnerability Rewards Program (OSS VRP), the offering is one of the first open source-specific vulnerability programs.
With the tech giant the maintainer of major projects such as Angular, Bazel, Golang, Protocol Buffers, and Fuchsia, the program aims to reward vulnerability discoveries that could otherwise have a significant impact on the larger open source landscape.
Other projects managed by Google and hosted on public repositories such as GitHub as well as the third-party dependencies that are included in those projects are also eligible.
[...] Beefing up open source components, especially third-party libraries that act as the building block of many a software, has emerged a top priority in the wake of steady escalation in supply chain attacks targeting Maven, NPM, PyPI, and RubyGems.
[...] "Last year saw a 650% year-over-year increase in attacks targeting the open source supply chain, including headliner incidents like Codecov and the Log4j vulnerability that showed the destructive potential of a single open source vulnerability," Google's Francis Perron and Krzysztof Kotowicz said.
[...] Earlier this May, the internet behemoth announced the creation of a new "Open Source Maintenance Crew" to focus on bolstering the security of critical open source projects.
Related Stories
There is no "software supply chain":
In actual supply chains, money is changing hands. A server manufacturer is paying for PCB fabrication, who is paying their suppliers for raw materials and equipment, and so on until the whole thing eventually loops back on itself when a mining company needs to buy a server.
When you take on an additional dependency in a software project, often money does not change hands. `
npm install' and `cargo add' do not bill your credit card. There is no formal agreement between a maintainer and its downstream users.There is a lot of attention on securing "software supply chains." The usual approach is that you want to try to avoid security issues in your underlying components from impacting customers of your product; and when they do, you want to be able to respond quickly to fix the issue. The people who care about this class of problem are often software companies. The class of components that are most concerning these companies are ones where unpaid hobbyist maintainers wrote something for themselves with no maintenance plan.
This is where the supply chain metaphor — and it is just that, a metaphor — breaks down. [...] Using the term "supply chain" here dehumanizes the labor involved in developing and maintaining software as a hobby.
[...] I just want to publish software that I think is neat so that other hobbyists can use and learn from it, and I otherwise want to be left the hell alone. I should be allowed to decide if something I wrote is "done". The focus on securing the "software supply chain" has made it even more likely that releasing software for others to use will just mean more work for me that I don't benefit from. I reject the idea that a concept so tenuous can be secured in the first place.
Is there such a thing as a software supply chain?
Related: Google Launches New Open Source Bug Bounty to Tackle Supply Chain Attacks
(Score: 4, Insightful) by RedGreen on Monday September 05 2022, @07:50PM (4 children)
the let's lock the barn door after the horse has bolted from the stables approach. Better than nothing I guess which is their approach to Android on our phones, which is why mine will never be used for anything related to my finances or anything else important.
"I modded down, down, down, and the flames went higher." -- Sven Olsen
(Score: 2) by legont on Monday September 05 2022, @11:05PM (3 children)
Lately financials tend to give you no choice.
"Wealth is the relentless enemy of understanding" - John Kenneth Galbraith.
(Score: 2) by RedGreen on Tuesday September 06 2022, @12:06AM (1 child)
"Lately financials tend to give you no choice."
Yes they certainly try to get their garbage apps on the phone, but I am not biting for that foolishness. If I need banking I go to the bank or I will login to the website from a secure machine. And back to Google a few days ago a couple of new apps show up on my phone without any permission from me to install them, a video player and meet. That is quite the nerve not a god damn any kind of update to the OS ever and they will install their crap apps on my phone at least I could remove them until the next bunch of crap from them. Slimy bastards all the hundreds of billions they have made on the back of open source software and nothing but a pittance given back.
"I modded down, down, down, and the flames went higher." -- Sven Olsen
(Score: 4, Interesting) by Runaway1956 on Tuesday September 06 2022, @01:45AM
https://forum.xda-developers.com/t/2022-07-03-v0-5-1-universal-android-debloater.4069209/ [xda-developers.com]
Debloat and degoogle your mobile device. You can take charge of your Android, and make it passingly secure. For my purposes, it's perfectly safe to remove EVERYTHING under the "Recommended" heading. That gets rid of the manufacturer's preinstalled apps (Samsung, in my case), all of Google's tracking, telemetry, and advertising, as well as the carrier's software (Reminder that payment is due, connect to pay the bill, stupid games, cloud stuff, and more)
My use case is not your use case. Before you start tearing stuff out, you should investigate some of it. If you rely on your device for important stuff, you may be constrained. But, you probably don't really need Google Maps, probably don't need three messenger programs, probably don't need Google Pay, etc ad nauseum. If you don't use Bluetooth, you can tear it out at the roots.
I'd kinda like to remove more, but I don't know at what point the phone will stop being a phone.
And, yes, you can remove a lot of "uninstallable" stuff with this. In most cases that's just a stupid flag set by the app itself, and so is that "non-moveable" flag that won't allow you to move an app with it's data to the microSD card.
(Score: 0) by Anonymous Coward on Tuesday September 06 2022, @12:13AM
spend money like a drunken sailor for a few decades, and The Piper (Wall Street)
will demand to be paid
(Score: 4, Insightful) by kazzie on Monday September 05 2022, @08:04PM (2 children)
So major, I'd heard of exactly one of those.
Clearly I'm not moving in the right circles these days...
(Score: 2) by legont on Monday September 05 2022, @11:02PM
I've heard of Golag but it's far east somewhere, isn't it?
"Wealth is the relentless enemy of understanding" - John Kenneth Galbraith.
(Score: 2) by coolgopher on Tuesday September 06 2022, @03:20AM
I've heard of Bazel, but only because my colleague has been swearing over it for weeks about its inability to support cross-compilation properly without having to go to extreme lengths to work around the tool itself.
Meanwhile, all the old stuff using autotools and make handle whatever cross environment mix we throw at it just fine.