Google expands open source bounty and will soon support Javascript fuzzing

Google expands OSS-Fuzz reward program, offering up to $30,000 in rewards to researchers who discover security flaws in open source programs.

The expanded scope of the program has increased the total possible reward from $20,000 to $30,000 per project integration.

The purpose of OSS-Fuzz is to help open source projects adopt fuzz testing, and the new category of rewards is to help people create more ways to integrate new projects.

Google has created two new reward categories to reward broad improvements in all OSS-Fuzz projects. We’re offering up to $11,337 per category. We’re also offering rewards for notable FuzzBench fuzzer integrations, and new sanitizer or “bug detector” integrations to help find vulnerabilities.

As Oliver Chang of Google’s OSS-Fuzz team explains:

According to Google, since 2016, OSS-Fuzz has helped 850 open source projects fix more than 8800 vulnerabilities and 28,000 bugs. By December 2021, we have covered 500 projects. Projects can range from end-user programs to libraries used by various other OSS projects.

OSS-Fuzz enables researchers to perform “fuzzing”, automated software testing aimed at crashing programs or introducing memory leaks that may indicate security flaws. A code testing service that

Google’s OSS-Fuzz team has outlined this year’s program direction in terms of supporting projects written in a variety of programming languages.

For example, in September I used OSS-Fuzz to find a critical bug in TinyGLTF, a library written in C++. Before the bug was fixed, an attacker could execute code in your project using the library as a dependency. Google said at the time that the library was written in C++, but the bug was applicable to all programming languages, and historically he focused on programs written in C/C++. justified the fuzzing approach that was used. These include Chromium, Linux kernel, Windows and Android.

Google notes that OSS-Fuzz is used to detect issues in memory-safe languages ​​such as Go, Rust, Python, and Java. OSS-Fuzz will also soon support JavaScript fuzzing with Jazzer.js in collaboration with Code Intelligence, an app security testing company.

Google also integrated OpenSSF’s FuzzIntrospector into OSS-Fuzz, and since then added support for C/C++, Python, and Java projects integrated into OSS-Fuzz to test the effectiveness of fuzzing projects. and gain insight on how to improve coverage.