Google Offers $20,000 Rewards to Drive OSS-Fuzz Initiative

Written by

Google is urging more members of the open source community to get on board with its OSS-Fuzz initiative designed to make software more secure, after revealing the discovery of over 1000 bugs in the past five months.

OSS-Fuzz was launched in a bid to encourage more open source developers to use the fuzz testing techniques which Google claims it has employed to spot hundreds of security and stability issues in Chrome.

The automated bot army which powers OSS-Fuzz processes 10 trillion test inputs a day and in doing so, has found 264 potential security vulnerabilities in 47 open source projects over the past five months, Google claimed in a blog post.

These include: 10 in FreeType2, 17 in FFmpeg, 33 in LibreOffice, 8 in SQLite 3, 10 in GnuTLS, 25 in PCRE2, 9 in gRPC, and 7 in Wireshark.

“Once a project is integrated into OSS-Fuzz, the continuous and automated nature of OSS-Fuzz means that we often catch these issues just hours after the regression is introduced into the upstream repository, before any users are affected,” the post claimed.

“Fuzzing not only finds memory safety related bugs, it can also find correctness or logic bugs. One example is a carry propagating bug in OpenSSL (CVE-2017-3732). Finally, OSS-Fuzz has reported over 300 timeout and out-of-memory failures (~75% of which got fixed). Not every project treats these as bugs, but fixing them enables OSS-Fuzz to find more interesting bugs.”

To help things along, Google is expanding its patch rewards program to include rewards for the integration of fuzz targets into OSS-Fuzz.

Those hoping for a crack at the maximum $20,000 reward must be working for an open source project with a large user base and/or one that’s “critical to global IT infrastructure”.

Projects must also demonstrate that their fuzz targets provide code coverage of over 80%, and are “part of the official upstream development and regression testing process”, as well as various other qualifying criteria.

What’s hot on Infosecurity Magazine?