Google has expanded the OSS-Fuzz reward program to offer rewards of up to $30,000 to researchers who discover security flaws in open source programs.
The expanded scope of the program now means the total possible rewards per project onboarding are increased from $20,000 to $30,000.
OSS-Fuzz’s goal is to help open source projects adopt fuzz testing, and new award categories support those who create more ways to integrate new projects.
Google has created two new award categories that reward broader improvements across all OSS-Fuzz projects. It offers up to $11,337 available per category. It also offers rewards for notable FuzzBench fuzzer integrations and for integrating new sanitizers or “bug checkers” that help find vulnerabilities.
“We hope to accelerate the integration of critical open source projects into OSS-Fuzz by providing stronger incentives for security researchers and open source maintainers,” says Oliver Chang of Google’s OSS-Fuzz team.
Since 2016, OSS-Fuzz has helped fix more than 8,800 vulnerabilities and 28,000 bugs in 850 open source projects, according to Google. As of December 2021, it covered 500 projects. Projects include end-user programs for libraries used in a variety of other OSS projects.
OSS-Fuzz is a code testing service that allows researchers to perform “fuzzing,” or automated software tests aimed at crashing a program or causing a memory leak that could indicate a security vulnerability.
Google’s OSS-Fuzz team described the direction the program is taking this year in terms of supporting projects written in different programming languages.
For example, in September, OSS-Fuzz was used to spot a serious bug in TinyGLTF, a library written in C++. Before being fixed, the bug could have allowed attackers to run code in projects using the library as a dependency. Google noted at the time that even though the library was written in C++, the bug was applicable to all programming languages and justified the fuzzing approach, which historically focused on programs written in C/C++. Among these are Chromium, Linux kernel, Windows, Android and many more.
Google notes that OSS-Fuzz is used to detect problems in memory-safe languages, including Go, Rust, Python, and Java. Additionally, working with application security testing company Code Intelligence, OSS-Fuzz will soon support JavaScript fuzzing through Jazzer.js.
Google has also integrated OpenSSF’s FuzzIntrospector into OSS-Fuzz and has since added support for C/C++, Python and Java projects integrated into OSS-Fuzz for insight into ways to improve efficiency and coverage. the fuzzing of a project.