Google this week revealed plans to reach out to critical open source projects and invite them to integrate with OSS-Fuzz.
Launched in December 2016, OSS-Fuzz is a free and continuous fuzzing infrastructure hosted on the Google Cloud Platform and designed to serve the Open Source Software (OSS) community through finding security vulnerabilities and stability issues.
OSS-Fuzz has already helped find and report over 9,000 flaws since launch, including bugs in critical projects such as FreeType2, FFmpeg, LibreOffice, SQLite, OpenSSL, and Wireshark.
Recently, Google has managed to consolidate the bug hunting and reporting processes into a single workflow, by unifying and automating its fuzzing tools, and believes that the OSS community should take advantage of this.
Thus, the Internet search giant has decided to contact the developers of critical projects and invite them to integrate with the fuzzing service.
“Projects integrated with OSS-Fuzz will benefit from being reviewed by both our internal and external fuzzing tools, thereby increasing code coverage and discovering bugs faster,” Google says.
Previously, the reporting process was a bit complex, as multiple tools were being used to identify bugs, while submissions were manually made to various public bug trackers, and then monitored until resolved.
“We are committed to helping open source projects benefit from integrating with our OSS-Fuzz fuzzing infrastructure. In the coming weeks, we will reach out via email to critical projects that we believe would be a good fit and support the community at large,” Google now says.
Projects that integrate are also eligible for rewards that range from $1,000 for initial integration to $20,000 for ideal integration. The rewards, Google says, should “offset the cost and effort required to properly configure fuzzing for OSS projects.”
Developers who would like to integrate their projects with OSS-Fuzz can submit them for review. Google wants to “admit as many OSS projects as possible and ensure that they are continuously fuzzed.” Contacted developers might be provided with a sample fuzz target for easy integration, the search company says.