Google wants more open source projects to include fuzzing during their development cycle, and to help things along, it's announced a rewards program that goes as high as US$20,000.
For now, the offerings are restricted to important projects – either those that have a large user base, or are judged “critical” to global infrastructure in some way.
The reward program is offered as part of Mountain View's OSS-Fuzz project, which according to this blog post has in the last five months turned up 1,000 bugs (including 247 potential security vulnerabilities) in 47 projects.
The fuzzing rewards are in an expanded Patch Rewards program, designed “to include rewards for the integration of fuzz targets into OSS-Fuzz”.
The top reward rate is for projects that comply with Google's “ideal integration” guidelines (detailed here).
As Google's OSS-Fuzz post notes: “To qualify for the ideal integration reward, projects must show that:
- ”Fuzz targets are checked into their upstream repository and integrated in the build system with sanitizer support (up to $5,000)”;
- “Fuzz targets are efficient and provide good code coverage (>80%) (up to $5,000)”;
- ”Fuzz targets are part of the official upstream development and regression testing process, i.e. they are maintained, run against old known crashers and the periodically updated corpora (up to $5,000)”; and
- “The last $5,000 is a “l33t” bonus that we may reward at our discretion for projects that we feel have gone the extra mile or done something really awesome.”
Google's breakdown of the bugs turned up by OSS-Fuzz is below. ®