Google's Fuzz bot exposes over 1,000 open-source bugs

The OSS-Fuzz robot has uncovered vulnerabilities in a number of key open-source projects.
Written by Charlie Osborne, Contributing Writer

Google's OSS-Fuzz bug-hunting robot has been hard at work, and in recent months, over 1,000 bugs have been exposed.

According to Chrome Security engineers Oliver Chang and Abhishek Arya, software engineer Kostya Serebryany, and Google Security program manager Josh Armour, the OSS-Fuzz bot has been scouring the web over the past five months in the pursuit of security vulnerabilities which can be exploited.

The OSS-Fuzz bot uses a technique called fuzzing to find bugs. Fuzzing is an automatic method of using large amounts of random data against a system or software in an attempt to make it crash. By doing so, fuzzing can ferret out bugs and potential vulnerabilities quickly without the process being labor-intensive for security professionals.

The process itself is well-established, and with the introduction of OSS-Fuzz to the community at large this year, over 10 trillion test inputs are being processed every day. Together with the open-source community, over 1,000 bugs have been discovered across 47 projects, of which 264 are potential security vulnerabilities.

The bugs and potential security issues uncovered include heap buffer overflow problems, use-after-free vulnerabilities, stack overflows, and data leaks. However, fuzzing does not just focus on memory-related problems but also records correctness or logic bugs.


Notably, OSS-Fuzz has found numerous security vulnerabilities in high-profile projects which provide support and components to well-known consumer software. In total, 10 bugs were discovered in FreeType2, 17 in FFmpeg, 33 in LibreOffice, 8 in SQLite 3, 10 in GnuTLS, 25 in PCRE2, 9 in gRPC, and 7 in Wireshark. (Some discoveries have collided with other researchers' work and some are view-restricted.)

"Once a project is integrated into OSS-Fuzz, the continuous and automated nature of OSS-Fuzz means that we often catch these issues just hours after the regression is introduced into the upstream repository, so that the chances of users being affected is reduced," Google says.

Google believes that as a security tool, fuzzing should be adopted in the mainstream. To this end, the tech giant is expanding the Patch Rewards program to include rewards for IT professionals who utilize the bot.

To qualify, projects much have a large user base or global IT infrastructure. When OSS-Fuzz is first introduced a reward of $1,000 is given, and for what Google considers "ideal integration," up to $20,000 is up for grabs. Should vendors and staff choose to donate their reward to charity, this amount is doubled.

Interested parties can contact Google to apply.

"We'd like to thank the existing contributors who integrated their projects and fixed countless bugs," the Google team says. "We hope to see more projects integrated into OSS-Fuzz, and greater adoption of fuzzing as standard practice when developing software."

How to lock up your digital life and privacy in an hour (in pictures)

Editorial standards