Google raised the potential pot to $30,000 for bug hunters in its open-source OSS-Fuzz code testing project.
On Wednesday, Google increased rewards for fuzzing coverage projects (up to $5,000 per project), and increased rewards for some FuzzBench integrations. For the latter, contributors can claim a reward of up to $11,337 for integrations “that show a significant improvement over existing fuzzers.”
Additionally, researchers can earn money for integrating new sanitizers into OSS-Fuzz. New sanitizers must find at least two legal vulnerabilities in an open-source project, and the maximum payout for this new category of rewards is $11,337.
Google’s Oliver Chang explained in a blog about the updates, “These changes increase the potential total rewards per project integration to a maximum of $20,000 to $30,000 (depending on project criticality).
Fuzz testing, or fuzzing, is an automated software method that involves injecting random or semi-random data into software to detect bugs. If something arises, it may be worth investigating. Google’s bounty program uses OSS-Fuzz: a free service that continuously tests code in nearly 700 open-source projects that the search giant developed in 2016 in response to the HeartBlade vulnerability issue.
A year later, the advertising company established the OSS-Fuzz Reward Program. Since then, bug bounty efforts have helped fix more than 8,800 vulnerabilities and 28,000 bugs in 850 projects, we’re told.
Last summer, the fuzzing service discovered a serious flaw in the TinyGLTF project, a library that relies on the C library function wordexp() to expand file paths from an input file to untrusted paths.
Over the years, the program has paid out $600,000 to more than 65 contributors who helped integrate new projects into OSS-Fuzz.
OSS-Fuzz’s language offerings currently include C/C++, Go, Rust, Java, Python, and Swift, and it will soon support JavaScript fuzzing via Jazzer.js.
Last year, Google launched the OpenSSF FuzzIntrospector tool and integrated it into OSS-Fuzz.
“The FuzIntrospector tool provides these insights by identifying complex code blocks that get blocked during fuzzing at runtime, as well as suggesting new fuzz targets that can be added,” said Chang. “We’ve seen customers use this tool successfully to improve coverage of jsonnet, file, xpdf and bzip2.”
Chang added that bug hunters can use the tool to increase coverage of a project and now get rewarded as part of the OSS-Fuzz Rewards update.
OSS-Fuzz Rewards is part of Google’s broader Patch Rewards program that encourages finding and fixing security flaws in open source security. This is a good scheme for finding bugs and saves Google a fortune in bug hunting.
In total, all of Google’s bug bounty programs paid out a record $8.7 million in risk rewards in 2021, the most recent year for which data is available. ®