Five months ago, Google launched its free OSS-Fuzz service with the purpose to help open source developers locate bugs in their code. “It is important,” said Google at the time, “that the open source foundation be stable, secure, and reliable, as cracks and weaknesses impact all who build on it.”
Since then, the cloud service has attracted 47 open-source projects and has uncovered more than 1,000 bugs (264 of which are potential security vulnerabilities) while processing 10 trillion test inputs per day.
Google now wishes to attract more OSS projects to the initiative, and is offering a reward to do so. “We believe that user and internet security as a whole can benefit greatly if more open source projects include fuzzing in their development process,” the company announced in a blog post yesterday. “To this end, we’d like to encourage more projects to participate and adopt the ideal integration guidelines that we’ve established.”
Google is expanding its Patch Rewards program to include rewards for the integration of fuzz targets into OSS-Fuzz. It will pay projects $1,000 for the initial integration, and up to $20,000 (at its own discretion) for what it describes as an ‘ideal integration’.
The $20,000 is broken into four chunks of up to $5,000 each. The first requires checking the fuzz targets into their upstream repository and integrating into the build system with sanitizer support.
The second $5,000 comes if the targets are efficient and provide more than 80% code coverage. The third part of the ‘ideal’ integration requires regression testing; that is the targets be maintained, run against old known crashers and the periodically updated corpora.
Google calls the final $5,000 a ‘l33t’ bonus, “that we may reward at our discretion for projects that we feel have gone the extra mile or done something really awesome.”
The Patch Reward Program Rules have been expanded to include ‘projects integrated into OSS-Fuzz’. Interested parties are invited to apply for OSS-Fuzz integration and subsequent awards via the adapted Patch Submission Form.
More from Kevin Bowers
- Alexa May Be Recording More Than You Realize
- UK’s NCSC Adopts HackerOne for Vulnerability Coordination Disclosure
- Artificial Intelligence in Cybersecurity is Not Delivering on its Promise
- Untangle Partners With Malwarebytes to Bring Layered Security to SMBs
- Testing Security Products: Third-Party Standards vs. In-House Testing
- New Cyber Readiness Program Launched for SMBs
- Personal Details of 120 Million Brazilians Exposed
- Researchers Find Thousands of Twitter Amplification Bots in Just One Day
Latest News
- US Downs Chinese Balloon Off Carolina Coast
- Microsoft: Iran Unit Behind Charlie Hebdo Hack-and-Leak Op
- Feds Say Cyberattack Caused Suicide Helpline’s Outage
- Big China Spy Balloon Moving East Over US, Pentagon Says
- Former Ubiquiti Employee Who Posed as Hacker Pleads Guilty
- Cyber Insights 2023: Venture Capital
- Atlassian Warns of Critical Jira Service Management Vulnerability
- High-Severity Privilege Escalation Vulnerability Patched in VMware Workstation
