Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 18 submissions in the queue.

Google Launches New Open Source Bug Bounty to Tackle Supply Chain Attacks

posted by hubie on Monday September 05 2022, @07:34PM   Printer-friendly
from the go-get-those-money dept.

upstart writes:

Google Launches New Open Source Bug Bounty to Tackle Supply Chain Attacks:

Google on Monday introduced a new bug bounty program for its open source projects, offering payouts anywhere from $100 to $31,337 (a reference to eleet or leet) to secure the ecosystem from supply chain attacks.

Called the Open Source Software Vulnerability Rewards Program (OSS VRP), the offering is one of the first open source-specific vulnerability programs.

With the tech giant the maintainer of major projects such as Angular, Bazel, Golang, Protocol Buffers, and Fuchsia, the program aims to reward vulnerability discoveries that could otherwise have a significant impact on the larger open source landscape.

Other projects managed by Google and hosted on public repositories such as GitHub as well as the third-party dependencies that are included in those projects are also eligible.

[...] Beefing up open source components, especially third-party libraries that act as the building block of many a software, has emerged a top priority in the wake of steady escalation in supply chain attacks targeting Maven, NPM, PyPI, and RubyGems.

[...] "Last year saw a 650% year-over-year increase in attacks targeting the open source supply chain, including headliner incidents like Codecov and the Log4j vulnerability that showed the destructive potential of a single open source vulnerability," Google's Francis Perron and Krzysztof Kotowicz said.

[...] Earlier this May, the internet behemoth announced the creation of a new "Open Source Maintenance Crew" to focus on bolstering the security of critical open source projects.

Original Submission

 
This discussion was created by hubie (1068) for logged-in users only, but now has been archived. No new comments can be posted.
Google Launches New Open Source Bug Bounty to Tackle Supply Chain Attacks | Log In/Create an Account | Top | 8 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by legont on Monday September 05 2022, @11:05PM (3 children)

    by legont (4179) on Monday September 05 2022, @11:05PM (#1270400)

    Lately financials tend to give you no choice.

    --
    "Wealth is the relentless enemy of understanding" - John Kenneth Galbraith.
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2  

  • (Score: 2) by RedGreen on Tuesday September 06 2022, @12:06AM (1 child)

    by RedGreen (888) on Tuesday September 06 2022, @12:06AM (#1270407)

    "Lately financials tend to give you no choice."

    Yes they certainly try to get their garbage apps on the phone, but I am not biting for that foolishness. If I need banking I go to the bank or I will login to the website from a secure machine. And back to Google a few days ago a couple of new apps show up on my phone without any permission from me to install them, a video player and meet. That is quite the nerve not a god damn any kind of update to the OS ever and they will install their crap apps on my phone at least I could remove them until the next bunch of crap from them. Slimy bastards all the hundreds of billions they have made on the back of open source software and nothing but a pittance given back.

    --
    "I modded down, down, down, and the flames went higher." -- Sven Olsen

    • (Score: 4, Interesting) by Runaway1956 on Tuesday September 06 2022, @01:45AM

      by Runaway1956 (2926) Subscriber Badge on Tuesday September 06 2022, @01:45AM (#1270420) Journal

      https://forum.xda-developers.com/t/2022-07-03-v0-5-1-universal-android-debloater.4069209/ [xda-developers.com]

      Debloat and degoogle your mobile device. You can take charge of your Android, and make it passingly secure. For my purposes, it's perfectly safe to remove EVERYTHING under the "Recommended" heading. That gets rid of the manufacturer's preinstalled apps (Samsung, in my case), all of Google's tracking, telemetry, and advertising, as well as the carrier's software (Reminder that payment is due, connect to pay the bill, stupid games, cloud stuff, and more)

      My use case is not your use case. Before you start tearing stuff out, you should investigate some of it. If you rely on your device for important stuff, you may be constrained. But, you probably don't really need Google Maps, probably don't need three messenger programs, probably don't need Google Pay, etc ad nauseum. If you don't use Bluetooth, you can tear it out at the roots.

      I'd kinda like to remove more, but I don't know at what point the phone will stop being a phone.

      And, yes, you can remove a lot of "uninstallable" stuff with this. In most cases that's just a stupid flag set by the app itself, and so is that "non-moveable" flag that won't allow you to move an app with it's data to the microSD card.

  • (Score: 0) by Anonymous Coward on Tuesday September 06 2022, @12:13AM

    by Anonymous Coward on Tuesday September 06 2022, @12:13AM (#1270408)

    spend money like a drunken sailor for a few decades, and The Piper (Wall Street)
    will demand to be paid