Google boosts bounties for open source fuzzing flaws • The Register

Google sweetened the potential pot to $30,000 for bug hunters in its open supply OSS-Fuzz code testing undertaking.

On Wednesday, Google increased bounties for fuzzing protection tasks (as much as $5,000 per undertaking), and added rewards for some FuzzBench integrations. For the latter, contributors can declare a prize as much as $11,337 for such integrations “that present important enchancment over current fuzzers.”

Moreover, researchers can earn cash for integrating new sanitizers into OSS-Fuzz. The brand new sanitizers should discover at the very least two legit vulnerabilities in an open supply undertaking, and the max payout for this new rewards class can also be $11,337.

“These adjustments increase the overall rewards doable per undertaking integration from a most of $20,000 to $30,000 (relying on the criticality of the undertaking),” Google Oliver Chang explained in a weblog in regards to the updates.

Fuzz testing, or fuzzing, is an automatic software program methodology that entails injecting random or semi-random information into the software program to detect bugs. If one thing crops up, it may be price investigating. Google’s rewards program makes use of OSS-Fuzz: a free service that repeatedly checks code in some 700 open-source tasks that the search large developed in 2016 in response to the Heartbleed vulnerability subject. 

A yr later, the advert large established the OSS-Fuzz Reward Program. Since then, the bug-bounty efforts have helped repair greater than 8,800 vulnerabilities and 28,000 bugs throughout 850 tasks, we’re advised.

Final summer time, the fuzzing service noticed a serious flaw within the TinyGLTF undertaking, a library that depends on the C library operate wordexp() for file path enlargement on untrusted paths from an enter file.

Over time, this system has paid out $600,000 to greater than 65 contributors who helped combine new tasks into OSS-Fuzz. 

OSS-Fuzz’s language choices presently embrace  C/C++, Go, Rust, Java, Python, and Swift, and it’ll quickly support JavaScript fuzzing via Jazzer.js.

Final yr, Google launched the OpenSSF FuzzIntrospector software and built-in it into OSS-Fuzz. 

“The FuzzIntrospector software offers these insights by figuring out advanced code blocks which can be blocked throughout fuzzing at runtime, in addition to suggesting new fuzz targets that may be added,” Chang mentioned. “We have seen customers efficiently use this software to enhance the protection of jsonnet, file, xpdf and bzip2, amongst others.”

Bug hunters can use this software to extend the protection of a undertaking and now obtain a prize as a part of the OSS-Fuzz Rewards replace, Chang added.

OSS-Fuzz Rewards is a part of Google’s broader Patch Rewards Program that incentivizes discovering and fixing safety flaws in open supply safety. It is a good scheme for locating bugs and saves Google a fortune in bug searching.

In whole, all of Google’s bug bounty applications paid out a file $8.7 million in vulnerability rewards in 2021, which is the newest yr for which these figures can be found. ®