.png){kind=logo}
- Insights
- Cryptocurrencies
- Stocks
- White Papers
- Industry
- Geography
- Insights
- Cryptocurrencies
- Stocks
- White Papers
- Industry
- Geography
Open-source software compared to proprietary software scores more and for small and medium companies it is the cost savings that count. But one might wonder what a mighty company like Google has to do with open-source software. Google has been at the forefront of contributing toward open-source software development and encouraging its free adoption. It is a known fact that how one security gap can disrupt gigantic and well-grounded systems. The constant need for faster innovation demands reusing code thus escalating the tradition of borrowing OSS libraries from third parties. Breach into Codecov's system and Log4Systems sending the supply chain tipsy turvy is still fresh in the memories. A report, "State of the Software Supply Chain", published in 2021, says the magnitude of the risk open source software supply chain experience might render it inefficient, with around 37 million available projects under risk.
Google maintains multiple OSS projects which include the web development platform Angular, OS platform Fuchsia, and programming language Golang which would now be open to the Vulnerability Rewards Program, wherein the bug bounty hunters can earn up to Rs 25 Lakh. Google's VRP program dates back to 2010 and accounts for rewards of more than $38 million, for projects covering multiple products like the Chrome web browser and the Android mobile operating system. But it is only now it has extended to open-source software projects. It reflects how much open-source software projects, mostly used by common users are getting vulnerable. "Google is proud to both support and be a part of the open-source software community. Through our existing bug bounty programs, we've rewarded bug hunters from over 84 countries and look forward to increasing that number through this new VRP," wrote Google's open-source security technical program manager Francis Perron, and information security engineer Krzysztof Kotowicz. Google's VRP program is actually a part of the $10 bn commitment made by it in 2021 at a gathering at the White House Summit held to support the US president's cyber security action plan.
It particularly becomes a critical part of security hunting because big frameworks, web servers, and languages such as React, Angular, Django, and Spring are mostly supported by big vendors, who use industry standards. When it comes to small vendors, the open-sourced software may not have the kind of backing as they are developed for a specific purpose and may not find a person who can fix the bugs in case of a breach, a technical blind spot that comes with open-sourced software and modern security risk in open-source realm. Open-source code is primarily considered secure because of its strong community which is actively involved in plugging the breaches from time to time. However, open-source codes are not backed by financial incentives and hence their security depends solely on the generosity of the community members, particularly in the case of real-time monitoring, programmers need special tools which might prove to be costly. So, for the people who are interested in bug hunting, Google has given an excuse to exploit bug hunting mojo all while taking a large bounty home.
