Security Experts:

Connect with us

Hi, what are you looking for?



Google Shells Out $600,000 for OSS-Fuzz Project Integrations

Google announces an expansion of its OSS-Fuzz rewards program to help find software vulnerabilities before they are exploited.

Google this week announced an extension to its OSS-Fuzz rewards program, an initiative meant to reward contributors for integrating projects into OSS-Fuzz.

Launched in 2016, OSS-Fuzz is meant to help identify vulnerabilities in open source software through continuous fuzzing, with a declared goal of making common software infrastructure more secure.

Six months after the launch, Google announced that it was offering rewards between $1,000 and $20,000 for integrating projects into OSS-Fuzz, and now says that it has paid over $600,000 to more than 65 different contributors as part of the program.

The internet search marketing giant has now increased the highest reward available for new project integration to $30,000, which can be awarded depending on ‘the criticality of the project’.

Launched last year and already integrated into OSS-Fuzz, the tool performs analysis of functions, static call graphs, and runtime coverage information to provide insights into fuzzing coverage blockers.

“The Fuzz Introspector tool provides these insights by identifying complex code blocks that are blocked during fuzzing at runtime, as well as suggesting new fuzz targets that can be added,” Google says.

By increasing payouts and expanding the OSS-Fuzz rewards program, Google seeks to strengthen OSS-Fuzz to find more vulnerabilities before they are exploited.

Related: Google Announces Vulnerability Scanner for Open Source Developers

Related: Google’s GUAC Open Source Tool Centralizes Software Security Metadata

Related: Google Wants More Projects Integrated With OSS-Fuzz

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.