Since launching in 2016, Google’s free OSS-Fuzz code testing service has helped recover from 8800 vulnerabilities and 28,000 bugs mounted throughout 850 tasks. In the present day, we’re blissful to announce an enlargement of our OSS-Fuzz Rewards Program, plus new options in OSS-Fuzz and our involvement in supporting educational fuzzing analysis.
The OSS-Fuzz undertaking’s function is to help the open supply group in adopting fuzz testing, or fuzzing — an automatic code testing approach for uncovering bugs in software program. Along with the OSS-Fuzz service, which gives a free platform for steady fuzzing to crucial open supply tasks, we established an OSS-Fuzz Reward Program in 2017 as a part of our wider Patch Rewards Program.
We’ve operated this efficiently for the previous 5 years, and thus far, the OSS-Fuzz Reward Program has awarded over $600,000 to over 65 totally different contributors for his or her assist integrating new tasks into OSS-Fuzz.
In the present day, we’re excited to announce that we’ve expanded the scope of the OSS-Fuzz Reward Program significantly, introducing many new varieties of rewards!
These new reward varieties cowl contributions resembling:
- Undertaking fuzzing protection will increase
- Notable FuzzBench fuzzer integrations
- Integrating a brand new sanitizer (instance) that finds two new vulnerabilities
These modifications increase the overall rewards potential per undertaking integration from a most of $20,000 to $30,000 (relying on the criticality of the undertaking). As well as, we’ve additionally established two new reward classes that reward wider enhancements throughout all OSS-Fuzz tasks, with as much as $11,337 obtainable per class.
For extra particulars, see the totally up to date guidelines for our devoted OSS-Fuzz Reward Program.
We’ve constantly made enhancements to OSS-Fuzz’s infrastructure through the years and expanded our language choices to cowl C/C++, Go, Rust, Java, Python, and Swift, and have launched help for brand new frameworks resembling FuzzTest. Moreover, as a part of an ongoing collaboration with Code Intelligence, we’ll quickly have help for JavaScript fuzzing by way of Jazzer.js.
Final 12 months, we launched the OpenSSF FuzzIntrospector software and built-in it into OSS-Fuzz.
We’ve continued to construct on this by including new language help and higher evaluation, and now C/C++, Python, and Java tasks built-in into OSS-Fuzz have detailed insights on how the protection and fuzzing effectiveness for a undertaking will be improved.
The FuzzIntrospector software gives these insights by figuring out advanced code blocks which can be blocked throughout fuzzing at runtime, in addition to suggesting new fuzz targets that may be added. We’ve seen customers efficiently use this software to enhance the protection of jsonnet, file, xpdf and bzip2, amongst others.
Anybody can use this software to extend the protection of a undertaking and in flip be rewarded as a part of the refreshed OSS-Fuzz rewards. See the full checklist of all OSS-Fuzz FuzzIntrospector reviews to get began.
The OSS-Fuzz workforce maintains FuzzBench, a service that allows safety researchers in academia to check fuzzing enhancements in opposition to real-world open supply tasks. Approaching its third anniversary in serving free benchmarking, FuzzBench is cited by over 100 papers and has been used as a platform for tutorial fuzzing workshops resembling NDSS’22.
This 12 months, FuzzBench has been invited to take part within the SBFT’23 workshop in ICSE, a premier analysis convention within the discipline, which for the primary time is internet hosting a fuzzing competitors. Throughout this competitors, the FuzzBench platform might be used to judge state-of-the-art fuzzers submitted by researchers from across the globe on each code protection and bug-finding metrics.
We imagine these initiatives will assist scale safety testing efforts throughout the broader open supply ecosystem. We hope to speed up the mixing of crucial open supply tasks into OSS-Fuzz by offering stronger incentives to safety researchers and open supply maintainers. Mixed with our involvement in fuzzing analysis, these efforts are making OSS-Fuzz an much more highly effective software, enabling customers to search out extra bugs, and, extra critically, discover them earlier than the dangerous guys do!
