Google Launches New Open Source Bug Bounty to Tackle Supply Chain Attacks:
Google on Monday introduced a new bug bounty program for its open source projects, offering payouts anywhere from $100 to $31,337 (a reference to eleet or leet) to secure the ecosystem from supply chain attacks.
Called the Open Source Software Vulnerability Rewards Program (OSS VRP), the offering is one of the first open source-specific vulnerability programs.
With the tech giant the maintainer of major projects such as Angular, Bazel, Golang, Protocol Buffers, and Fuchsia, the program aims to reward vulnerability discoveries that could otherwise have a significant impact on the larger open source landscape.
Other projects managed by Google and hosted on public repositories such as GitHub as well as the third-party dependencies that are included in those projects are also eligible.
[...] Beefing up open source components, especially third-party libraries that act as the building block of many a software, has emerged a top priority in the wake of steady escalation in supply chain attacks targeting Maven, NPM, PyPI, and RubyGems.
[...] "Last year saw a 650% year-over-year increase in attacks targeting the open source supply chain, including headliner incidents like Codecov and the Log4j vulnerability that showed the destructive potential of a single open source vulnerability," Google's Francis Perron and Krzysztof Kotowicz said.
[...] Earlier this May, the internet behemoth announced the creation of a new "Open Source Maintenance Crew" to focus on bolstering the security of critical open source projects.
(Score: 2) by RedGreen on Tuesday September 06 2022, @12:06AM (1 child)
"Lately financials tend to give you no choice."
Yes they certainly try to get their garbage apps on the phone, but I am not biting for that foolishness. If I need banking I go to the bank or I will login to the website from a secure machine. And back to Google a few days ago a couple of new apps show up on my phone without any permission from me to install them, a video player and meet. That is quite the nerve not a god damn any kind of update to the OS ever and they will install their crap apps on my phone at least I could remove them until the next bunch of crap from them. Slimy bastards all the hundreds of billions they have made on the back of open source software and nothing but a pittance given back.
"I modded down, down, down, and the flames went higher." -- Sven Olsen
(Score: 4, Interesting) by Runaway1956 on Tuesday September 06 2022, @01:45AM
https://forum.xda-developers.com/t/2022-07-03-v0-5-1-universal-android-debloater.4069209/ [xda-developers.com]
Debloat and degoogle your mobile device. You can take charge of your Android, and make it passingly secure. For my purposes, it's perfectly safe to remove EVERYTHING under the "Recommended" heading. That gets rid of the manufacturer's preinstalled apps (Samsung, in my case), all of Google's tracking, telemetry, and advertising, as well as the carrier's software (Reminder that payment is due, connect to pay the bill, stupid games, cloud stuff, and more)
My use case is not your use case. Before you start tearing stuff out, you should investigate some of it. If you rely on your device for important stuff, you may be constrained. But, you probably don't really need Google Maps, probably don't need three messenger programs, probably don't need Google Pay, etc ad nauseum. If you don't use Bluetooth, you can tear it out at the roots.
I'd kinda like to remove more, but I don't know at what point the phone will stop being a phone.
And, yes, you can remove a lot of "uninstallable" stuff with this. In most cases that's just a stupid flag set by the app itself, and so is that "non-moveable" flag that won't allow you to move an app with it's data to the microSD card.