This article is more than 1 year old

And you thought Fuzzilli was a pasta... Google offers up $50k in cloud credits to fuzz the hell out of JavaScript engines

And don't forget the paperwork after, says Chocolate Factory

Google is offering bug hunters thousands of dollars worth of compute time on its cloud to hammer away at JavaScript engines and uncover new security flaws in the software.

The Mountain View ads giant said it will hand folks each up to $5,000 in Google Compute Engine (GCE) credits to conduct fuzzing tests on JS interpreters, earmarking $50,000 total for the program. The grants will go to security bods who can figure out better ways to bombard the software with carefully crafted data in the hope of homing in on exploitable security vulnerabilities, such as heap overflows and function pointer overwrites, that can be subsequently fixed.

Researchers can focus on any of the major JavaScript engines: Safari's JavaScriptCore, Chrome and Edge's v8, or the Firefox Spidermonkey engine. The program is set to run until October 1, 2021, or until the cash runs out. Google's Project Zero hopes this offering will lead to people figuring out more efficient ways to suss out bugs in complex software that pretty much everyone uses every day without breaking the bank.

"JavaScript engine security continues to be critical for user safety, as demonstrated by recent in-the-wild zero-day exploits abusing vulnerabilities in v8, the JavaScript engine behind Chrome," explained Project Zero's Samuel Groß on Thursday. "Unfortunately, fuzzing JavaScript engines to uncover these vulnerabilities is generally quite expensive due to their high complexity and relatively slow processing of input.

As an example of the high cost involved in probing non-trivial code, Groß said the Google Cloud virtual-machine instances used to find about 20 bugs with Google Project Zero's JS engine fuzzer Fuzzilli in 2019 would have set you and I back around $10,000.

"Income from bug bounty programs is uncertain, as there is no guarantee a new approach will also discover new bugs," he added. "Moreover, as any bounty money is paid out only later, researchers need to bear the costs of fuzzing in advance. This likely results in bugs staying unfixed and thus exploitable for longer. This program aims to help solve this problem."

JavaScript code

Not Particularly Mortifying: IEEE eggheads probe npm registry, say JavaScript libs not as insecure as feared


The program isn't entirely new, by the way: it had previously been an academic-only operation, and anyone wanting to get credits to work on better fuzzing had to be part of a university in order to get a grant.

"Submissions are not limited to those in academia or those with a demonstrated track record of success – if you have a good idea in this space, we'd love to hear from you," said Groß. "Incoming submissions will be reviewed by a review board on a regular basis and we aim to respond to every submission within 2 weeks."

That said, Google is placing some conditions on the work. Flaw-finders will have to report any vulnerabilities they find along the way to the affected vendor – be it Apple, Google, Microsoft, or Mozilla – and publish something, such as a blog post, detailing the find, or present it at a conference, within six months of getting the grant. Infosec bods in US-sanctioned countries such as North Korea, Iran, Cuba, and Syria are also out of luck.

Use of Google' Fuzzilli tool is also "encouraged" by the Project Zero team.

Any CVE credits and bug bounty payouts that come along with the fuzzing work can be kept by the finder, though Google is asking that everyone involved make their work open source and share it with the rest of the world. Google also wants its own private report on the work, something Groß says is intended to "make our folks in accounting happy," and ensure that people aren't just taking their free compute time fruitlessly. ®

More about


Send us news

Other stories you might like