1Our MissionOSS VRP

OSS VRP

Google’s Open Source Software Vulnerability Rewards Program (OSS VRP) rewards discoveries of vulnerabilities in Google’s open source projects. As the maintainer of major projects such as Golang, Angular, and Fuchsia, Google is among the largest contributors and users of open source software in the world.

The OSS VRP encourages researchers to report vulnerabilities with the greatest real, and potential, impact on open source software under the Google portfolio.

For more details on the OSS VRP such as an overview of in-scope repositories or qualifying vulnerabilities, see the information on this page and the program rules.
Report Security Vulnerability
View rules
2ExamplesshowExamples

Examples

Some examples of valid OSS VRP issues:

  • Example 1

    Leaking a GitHub token with write access to the main branch of a repository, via an insecure GitHub action executing on a PR.

  • Example 2

    Leaking package manager credentials (e.g. PyPI, NPM) that could be used to publish back-doored software packages on Google's behalf.

  • Example 3

    Insecure attribute binding in Angular that ignores the iframe.sandbox attribute, potentially leading to cross-site-scripting in Angular applications.

3RewardsshowRewards

Reward Amounts

Below you can find an overview of the different reward categories available for reports submitted to the OSS VRP, grouped by the project tier and vulnerability type. For full details see the Reward Amounts section of the OSS VRP rules.

    Flagship OSS projects

  • 01

    $1,000

    For non-technical security vulnerabilities

  • 02

    $500 - $7,500

    For product vulnerabilities

  • 03

    $3,133.7 - $31,337

    For supply chain compromises

Standard OSS projects

  • 01

    $500

    For non-technical security vulnerabilities

  • 02

    $101 - $3,133.7

    For product vulnerabilities

  • 03

    $1,337 - $13,337

    For supply chain compromises

  • 4LinksshowLinks

    Rules

    All details of what's in scope, and our report standards

    Learn more

    Report

    Report security vulnerability

    Start report