Google sets up research grant for finding bugs in browser JavaScript engines

Eligible browser JavaScript engines include JavaScriptCore (Safari), V8 (Chrome, Edge), and Spidermonkey (Firefox).
Written by Catalin Cimpanu, Contributor
Image: Markus Spiske

Google has set up a research grant program to help and sponsor security researchers and academics find vulnerabilities in browser JavaScript engines.

The program has one rule, namely that the bugs must be identified using "fuzzing."

Fuzzing, or fuzz testing, is a technique for identifying bugs by throwing random, invalid, or unexpected data as input into a program and analyzing the output for abnormalities.

Fuzzing rarely used to hunt bugs

The technique is broadly used inside big tech companies but rarely by security researchers working on their own as fuzzing is computationally expensive and usually requires access to vast and expensive cloud computing resources.

Security researchers working on their own usually don't get paid until months after they filed a bug on public bug bounty platforms, and the payouts aren't always guaranteed to cover any initial costs with renting large cloud computing resources to perform large-scale fuzzing operations.

In a blog post on Thursday, Google said it created this research grant to address this particular problem.

Via its new pilot program, security researchers and academics can apply for funds to use for fuzzing any browser JavaScript engine of their choosing.

Google says it will analyze each submission and provide an answer to all applicants within two weeks. Approved projects can receive up to $5,000 in funding.

The funds will be provided as credits for Google Compute Engine, Google Cloud's heavy computing infrastructure, to avoid the funds being misappropriated.

Open-source tool already available

This is a special pilot program that will run only from October 1, 2020, to October 1, 2021. The program has been named the Fuzzilli Research Grant after Google's own Fuzzilli open-source fuzzing tool, which supports distributed fuzzing on GCE and which Google encourages researchers to use.

Google said that all bugs identified during the pilot program must be reported to affected vendors. Researchers can keep additional bug bounty payouts for the bugs they find during the pilot program.

Eligible browser JavaScript engines include JavaScriptCore (Safari), V8 (Chrome, Edge), and Spidermonkey (Firefox), but security researchers can pitch other engines in their submitted proposals.

JavaScript engines are an intrinsic part of modern web browsers. Their role is to read JavaScript files and code that a browser downloads or receives from a website, interpret it, and then instruct other browser components how to render the result (the web page, animations, background operations, browser extensions, etc.).

They have a central role in a browser, and as a result, are likely to be attacked by threat actors.

"JavaScript engine security continues to be critical for user safety, as demonstrated by recent in-the-wild 0day exploits abusing vulnerabilities in v8, the JavaScript engine behind Chrome," Samuel Groß, a security researcher part of the Google Project Zero team and the Fuzzilli author, said this week.

Additional program rules are here.

All the Chromium-based browsers

Editorial standards