OSS VRP
The OSS VRP encourages researchers to report vulnerabilities with the greatest real, and potential, impact on open source software under the Google portfolio.
For more details on the OSS VRP such as an overview of in-scope repositories or qualifying vulnerabilities, see the information on this page and the program rules.
Examples
Some examples of valid OSS VRP issues:
Example 1
Leaking a GitHub token with write access to the main branch of a repository, via an insecure GitHub action executing on a PR.
Example 2
Leaking package manager credentials (e.g. PyPI, NPM) that could be used to publish back-doored software packages on Google's behalf.
Example 3
Insecure attribute binding in Angular that ignores the iframe.sandbox attribute, potentially leading to cross-site-scripting in Angular applications.
Reward Amounts
Below you can find an overview of the different reward categories available for reports submitted to the OSS VRP, grouped by the project tier and vulnerability type. For full details see the Reward Amounts section of the OSS VRP rules.
01
$1,000
For non-technical security vulnerabilities
02
$500 - $7,500
For product vulnerabilities
03
$3,133.7 - $31,337
For supply chain compromises
Flagship OSS projects
Standard OSS projects
01
$500
For non-technical security vulnerabilities
02
$101 - $3,133.7
For product vulnerabilities
03
$1,337 - $13,337
For supply chain compromises