Security Experts:

Connect with us

Hi, what are you looking for?


Management & Strategy

Google Wants More Projects Integrated With OSS-Fuzz

Google this week revealed plans to reach out to critical open source projects and invite them to integrate with OSS-Fuzz.

Google this week revealed plans to reach out to critical open source projects and invite them to integrate with OSS-Fuzz.

Launched in December 2016, OSS-Fuzz is a free and continuous fuzzing infrastructure hosted on the Google Cloud Platform and designed to serve the Open Source Software (OSS) community through finding security vulnerabilities and stability issues.

OSS-Fuzz has already helped find and report over 9,000 flaws since launch, including bugs in critical projects such as FreeType2, FFmpeg, LibreOffice, SQLite, OpenSSL, and Wireshark.

Recently, Google has managed to consolidate the bug hunting and reporting processes into a single workflow, by unifying and automating its fuzzing tools, and believes that the OSS community should take advantage of this.

Thus, the Internet search giant has decided to contact the developers of critical projects and invite them to integrate with the fuzzing service.

“Projects integrated with OSS-Fuzz will benefit from being reviewed by both our internal and external fuzzing tools, thereby increasing code coverage and discovering bugs faster,” Google says.

Previously, the reporting process was a bit complex, as multiple tools were being used to identify bugs, while submissions were manually made to various public bug trackers, and then monitored until resolved.

“We are committed to helping open source projects benefit from integrating with our OSS-Fuzz fuzzing infrastructure. In the coming weeks, we will reach out via email to critical projects that we believe would be a good fit and support the community at large,” Google now says.

Projects that integrate are also eligible for rewards that range from $1,000 for initial integration to $20,000 for ideal integration. The rewards, Google says, should “offset the cost and effort required to properly configure fuzzing for OSS projects.”

Developers who would like to integrate their projects with OSS-Fuzz can submit them for review. Google wants to “admit as many OSS projects as possible and ensure that they are continuously fuzzed.” Contacted developers might be provided with a sample fuzz target for easy integration, the search company says.

Related: OpenSSL Patches Flaws Found With Google Fuzzer

Related: Google Offers $20,000 to Join OSS-Fuzz Program

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.


Twenty-one cybersecurity-related M&A deals were announced in December 2022.