Stories
Slash Boxes
Comments

SoylentNews is people

posted by hubie on Monday September 05 2022, @07:34PM   Printer-friendly
from the go-get-those-money dept.

Google Launches New Open Source Bug Bounty to Tackle Supply Chain Attacks:

Google on Monday introduced a new bug bounty program for its open source projects, offering payouts anywhere from $100 to $31,337 (a reference to eleet or leet) to secure the ecosystem from supply chain attacks.

Called the Open Source Software Vulnerability Rewards Program (OSS VRP), the offering is one of the first open source-specific vulnerability programs.

With the tech giant the maintainer of major projects such as Angular, Bazel, Golang, Protocol Buffers, and Fuchsia, the program aims to reward vulnerability discoveries that could otherwise have a significant impact on the larger open source landscape.

Other projects managed by Google and hosted on public repositories such as GitHub as well as the third-party dependencies that are included in those projects are also eligible.

[...] Beefing up open source components, especially third-party libraries that act as the building block of many a software, has emerged a top priority in the wake of steady escalation in supply chain attacks targeting Maven, NPM, PyPI, and RubyGems.

[...] "Last year saw a 650% year-over-year increase in attacks targeting the open source supply chain, including headliner incidents like Codecov and the Log4j vulnerability that showed the destructive potential of a single open source vulnerability," Google's Francis Perron and Krzysztof Kotowicz said.

[...] Earlier this May, the internet behemoth announced the creation of a new "Open Source Maintenance Crew" to focus on bolstering the security of critical open source projects.


Original Submission

 
This discussion was created by hubie (1068) for logged-in users only, but now has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 4, Interesting) by Runaway1956 on Tuesday September 06 2022, @01:45AM

    by Runaway1956 (2926) Subscriber Badge on Tuesday September 06 2022, @01:45AM (#1270420) Journal

    https://forum.xda-developers.com/t/2022-07-03-v0-5-1-universal-android-debloater.4069209/ [xda-developers.com]

    Debloat and degoogle your mobile device. You can take charge of your Android, and make it passingly secure. For my purposes, it's perfectly safe to remove EVERYTHING under the "Recommended" heading. That gets rid of the manufacturer's preinstalled apps (Samsung, in my case), all of Google's tracking, telemetry, and advertising, as well as the carrier's software (Reminder that payment is due, connect to pay the bill, stupid games, cloud stuff, and more)

    My use case is not your use case. Before you start tearing stuff out, you should investigate some of it. If you rely on your device for important stuff, you may be constrained. But, you probably don't really need Google Maps, probably don't need three messenger programs, probably don't need Google Pay, etc ad nauseum. If you don't use Bluetooth, you can tear it out at the roots.

    I'd kinda like to remove more, but I don't know at what point the phone will stop being a phone.

    And, yes, you can remove a lot of "uninstallable" stuff with this. In most cases that's just a stupid flag set by the app itself, and so is that "non-moveable" flag that won't allow you to move an app with it's data to the microSD card.

    Starting Score:    1  point
    Moderation   +3  
       Interesting=3, Total=3
    Extra 'Interesting' Modifier   0  

    Total Score:   4