The Mountain View ads giant said it will hand folks each up to $5,000 in Google Compute Engine (GCE) credits to conduct fuzzing tests on JS interpreters, earmarking $50,000 total for the program. The grants will go to security bods who can figure out better ways to bombard the software with carefully crafted data in the hope of homing in on exploitable security vulnerabilities, such as heap overflows and function pointer overwrites, that can be subsequently fixed.
As an example of the high cost involved in probing non-trivial code, Groß said the Google Cloud virtual-machine instances used to find about 20 bugs with Google Project Zero's JS engine fuzzer Fuzzilli in 2019 would have set you and I back around $10,000.
"Income from bug bounty programs is uncertain, as there is no guarantee a new approach will also discover new bugs," he added. "Moreover, as any bounty money is paid out only later, researchers need to bear the costs of fuzzing in advance. This likely results in bugs staying unfixed and thus exploitable for longer. This program aims to help solve this problem."
The program isn't entirely new, by the way: it had previously been an academic-only operation, and anyone wanting to get credits to work on better fuzzing had to be part of a university in order to get a grant.
"Submissions are not limited to those in academia or those with a demonstrated track record of success – if you have a good idea in this space, we'd love to hear from you," said Groß. "Incoming submissions will be reviewed by a review board on a regular basis and we aim to respond to every submission within 2 weeks."
That said, Google is placing some conditions on the work. Flaw-finders will have to report any vulnerabilities they find along the way to the affected vendor – be it Apple, Google, Microsoft, or Mozilla – and publish something, such as a blog post, detailing the find, or present it at a conference, within six months of getting the grant. Infosec bods in US-sanctioned countries such as North Korea, Iran, Cuba, and Syria are also out of luck.
Use of Google' Fuzzilli tool is also "encouraged" by the Project Zero team.
Any CVE credits and bug bounty payouts that come along with the fuzzing work can be kept by the finder, though Google is asking that everyone involved make their work open source and share it with the rest of the world. Google also wants its own private report on the work, something Groß says is intended to "make our folks in accounting happy," and ensure that people aren't just taking their free compute time fruitlessly. ®