Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Google Offers $20,000 to Join OSS-Fuzz Program

Five months ago, Google launched its free OSS-Fuzz service with the purpose to help open source developers locate bugs in their code.

Five months ago, Google launched its free OSS-Fuzz service with the purpose to help open source developers locate bugs in their code. “It is important,” said Google at the time, “that the open source foundation be stable, secure, and reliable, as cracks and weaknesses impact all who build on it.”

Since then, the cloud service has attracted 47 open-source projects and has uncovered more than 1,000 bugs (264 of which are potential security vulnerabilities) while processing 10 trillion test inputs per day.

Google now wishes to attract more OSS projects to the initiative, and is offering a reward to do so. “We believe that user and internet security as a whole can benefit greatly if more open source projects include fuzzing in their development process,” the company announced in a blog post yesterday. “To this end, we’d like to encourage more projects to participate and adopt the ideal integration guidelines that we’ve established.”

Google is expanding its Patch Rewards program to include rewards for the integration of fuzz targets into OSS-Fuzz. It will pay projects $1,000 for the initial integration, and up to $20,000 (at its own discretion) for what it describes as an ‘ideal integration’.

The $20,000 is broken into four chunks of up to $5,000 each. The first requires checking the fuzz targets into their upstream repository and integrating into the build system with sanitizer support.

The second $5,000 comes if the targets are efficient and provide more than 80% code coverage. The third part of the ‘ideal’ integration requires regression testing; that is the targets be maintained, run against old known crashers and the periodically updated corpora.

Google calls the final $5,000 a ‘l33t’ bonus, “that we may reward at our discretion for projects that we feel have gone the extra mile or done something really awesome.”

The Patch Reward Program Rules have been expanded to include ‘projects integrated into OSS-Fuzz’. Interested parties are invited to apply for OSS-Fuzz integration and subsequent awards via the adapted Patch Submission Form.

Advertisement. Scroll to continue reading.
Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.