Google Shells Out $600,000 for OSS-Fuzz Project Integrations

Google this week announced an extension to its OSS-Fuzz rewards program, an initiative meant to reward contributors for integrating projects into OSS-Fuzz.

Launched in 2016, OSS-Fuzz is meant to help identify vulnerabilities in open source software through continuous fuzzing, with a declared goal of making common software infrastructure more secure.

Six months after the launch, Google announced that it was offering rewards between $1,000 and $20,000 for integrating projects into OSS-Fuzz, and now says that it has paid over $600,000 to more than 65 different contributors as part of the program.

The internet search marketing giant has now increased the highest reward available for new project integration to $30,000, which can be awarded depending on ‘the criticality of the project’.

Launched last year and already integrated into OSS-Fuzz, the tool performs analysis of functions, static call graphs, and runtime coverage information to provide insights into fuzzing coverage blockers.

“The Fuzz Introspector tool provides these insights by identifying complex code blocks that are blocked during fuzzing at runtime, as well as suggesting new fuzz targets that can be added,” Google says.

By increasing payouts and expanding the OSS-Fuzz rewards program, Google seeks to strengthen OSS-Fuzz to find more vulnerabilities before they are exploited.

Related: Google Announces Vulnerability Scanner for Open Source Developers

Related: Google’s GUAC Open Source Tool Centralizes Software Security Metadata

Related: Google Wants More Projects Integrated With OSS-Fuzz