Since launching in 2016, Google’s free OSS-Fuzz code testing service has helped recover from 8800 vulnerabilities and 28,000 bugs fastened throughout 850 tasks. Today, we’re glad to announce an enlargement of our OSS-Fuzz Rewards Program, plus new options in OSS-Fuzz and our involvement in supporting tutorial fuzzing analysis.
The OSS-Fuzz challenge’s goal is to assist the open supply group in adopting fuzz testing, or fuzzing — an automatic code testing method for uncovering bugs in software program. In addition to the OSS-Fuzz service, which offers a free platform for steady fuzzing to vital open supply tasks, we established an OSS-Fuzz Reward Program in 2017 as a part of our wider Patch Rewards Program.
We’ve operated this efficiently for the previous 5 years, and so far, the OSS-Fuzz Reward Program has awarded over $600,000 to over 65 totally different contributors for his or her assist integrating new tasks into OSS-Fuzz.
Today, we’re excited to announce that we’ve expanded the scope of the OSS-Fuzz Reward Program significantly, introducing many new forms of rewards!
These new reward sorts cowl contributions akin to:
- Project fuzzing protection will increase
- Notable FuzzBench fuzzer integrations
- Integrating a brand new sanitizer (instance) that finds two new vulnerabilities
These adjustments enhance the entire rewards doable per challenge integration from a most of $20,000 to $30,000 (relying on the criticality of the challenge). In addition, we’ve additionally established two new reward classes that reward wider enhancements throughout all OSS-Fuzz tasks, with as much as $11,337 out there per class.
For extra particulars, see the absolutely up to date guidelines for our devoted OSS-Fuzz Reward Program.
We’ve repeatedly made enhancements to OSS-Fuzz’s infrastructure through the years and expanded our language choices to cowl C/C++, Go, Rust, Java, Python, and Swift, and have launched assist for brand spanking new frameworks akin to FuzzTake a look at. Additionally, as a part of an ongoing collaboration with Code Intelligence, we’ll quickly have assist for JavaScript fuzzing via Jazzer.js.
Last yr, we launched the OpenSSF FuzzIntrospector instrument and built-in it into OSS-Fuzz.
We’ve continued to construct on this by including new language assist and higher evaluation, and now C/C++, Python, and Java tasks built-in into OSS-Fuzz have detailed insights on how the protection and fuzzing effectiveness for a challenge will be improved.
The FuzzIntrospector instrument offers these insights by figuring out advanced code blocks which are blocked throughout fuzzing at runtime, in addition to suggesting new fuzz targets that may be added. We’ve seen customers efficiently use this instrument to enhance the protection of jsonnet, file, xpdf and bzip2, amongst others.
Anyone can use this instrument to extend the protection of a challenge and in flip be rewarded as a part of the refreshed OSS-Fuzz rewards. See the full checklist of all OSS-Fuzz FuzzIntrospector stories to get began.
The OSS-Fuzz staff maintains FuzzBench, a service that allows safety researchers in academia to check fuzzing enhancements towards real-world open supply tasks. Approaching its third anniversary in serving free benchmarking, FuzzBench is cited by over 100 papers and has been used as a platform for tutorial fuzzing workshops akin to NDSS’22.
This yr, FuzzBench has been invited to take part within the SBFT’23 workshop in ICSE, a premier analysis convention within the discipline, which for the primary time is internet hosting a fuzzing competitors. During this competitors, the FuzzBench platform might be used to guage state-of-the-art fuzzers submitted by researchers from across the globe on each code protection and bug-finding metrics.
We imagine these initiatives will assist scale safety testing efforts throughout the broader open supply ecosystem. We hope to speed up the combination of vital open supply tasks into OSS-Fuzz by offering stronger incentives to safety researchers and open supply maintainers. Combined with our involvement in fuzzing analysis, these efforts are making OSS-Fuzz an much more highly effective instrument, enabling customers to seek out extra bugs, and, extra critically, discover them earlier than the unhealthy guys do!