Google expands open-source bounties, will soon support Javascript fuzzing too

Google is expanding its open source OSS-Fuzz bug bounty and is adding support for projects written in the most popular programming languages.
Written by Liam Tung, Contributing Writer
Image: Getty Images

Google has expanded its OSS-Fuzz Reward Program to offer rewards of up to $30,000 for researchers who find security flaws in open-source programs. 

The expanded scope of the program now means the total rewards possible per project integration rise from $20,000 to $30,000. 

Also: Microsoft: We are tracking these 100 active ransomware gangs using 50 types of malware

The purpose of OSS-Fuzz is to support open-source projects adopt fuzz testing and the new categories of rewards support those who create more ways of integrating new projects. 

Google created two new reward categories that reward wider improvements across all OSS-Fuzz projects. It offers up to $11,337 available per category. It's also offering rewards for notable FuzzBench fuzzer integrations, and for integrating new sanitizers or 'bug detectors' that help find vulnerabilities. 

"We hope to accelerate the integration of critical open source projects into OSS-Fuzz by providing stronger incentives to security researchers and open source maintainers," explains Oliver Chang of Google's OSS-Fuzz team.  

Since 2016, OSS-Fuzz has helped get over 8800 vulnerabilities and 28,000 bugs fixed across 850 open-source projects, according to Google. In December 2021, it covered 500 projects. The projects include end-user programs to libraries used in a variety of other OSS projects.

OSS-Fuzz is a code-testing service that allows researchers to conduct "fuzzing", or automated software testing aimed at crashing a program or causing a memory leak that might indicate a security flaw. 

Google's OSS-Fuzz team outlined the direction the program is taking this year in terms of support for projects written in different programming languages. 

For example, in September, OSS-Fuzz was used to spot a serious bug in the TinyGLTF, a library written in C++. Before being fixed, the bug could have allowed attackers to execute code in projects using the library as a dependency. Google noted at the time that, while the library was written in C++, the bug was applicable to all programming languages and justified the fuzzing approach, which historically was focused programs written in C/C++. Among these include Chromium, the Linux kernel, Windows, Android, and many more.

Google notes OSS-Fuzz is being used to detect problems in memory safe languages, including Go, Rust, Python, and Java. Also, working with app security testing firm Code Intelligence, OSS-Fuzz will soon have support for JavaScript fuzzing through Jazzer.js.

Also: Memory safe programming languages are on the rise. Here's how developers should respond

Google has also integrated OpenSSF's FuzzIntrospector into OSS-Fuzz and has since added support for C/C++, Python, and Java projects integrated into OSS-Fuzz to gain insights on ways to improve the effectiveness and coverage of fuzzing a project. 

Editorial standards