Five months ago, Google launched its free OSS-Fuzz service with the purpose to help open source developers locate bugs in their code. “It is important,” said Google at the time, “that the open source foundation be stable, secure, and reliable, as cracks and weaknesses impact all who build on it.”
Since then, the cloud service has attracted 47 open-source projects and has uncovered more than 1,000 bugs (264 of which are potential security vulnerabilities) while processing 10 trillion test inputs per day.
Google now wishes to attract more OSS projects to the initiative, and is offering a reward to do so. “We believe that user and internet security as a whole can benefit greatly if more open source projects include fuzzing in their development process,” the company announced in a blog post yesterday. “To this end, we’d like to encourage more projects to participate and adopt the ideal integration guidelines that we’ve established.”
Google is expanding its Patch Rewards program to include rewards for the integration of fuzz targets into OSS-Fuzz. It will pay projects $1,000 for the initial integration, and up to $20,000 (at its own discretion) for what it describes as an ‘ideal integration’.
The $20,000 is broken into four chunks of up to $5,000 each. The first requires checking the fuzz targets into their upstream repository and integrating into the build system with sanitizer support.
The second $5,000 comes if the targets are efficient and provide more than 80% code coverage. The third part of the ‘ideal’ integration requires regression testing; that is the targets be maintained, run against old known crashers and the periodically updated corpora.
Google calls the final $5,000 a ‘l33t’ bonus, “that we may reward at our discretion for projects that we feel have gone the extra mile or done something really awesome.”
The Patch Reward Program Rules have been expanded to include ‘projects integrated into OSS-Fuzz’. Interested parties are invited to apply for OSS-Fuzz integration and subsequent awards via the adapted Patch Submission Form.