This article is more than 1 year old

Google boosts bounties for open source flaws found via fuzzing

Max reward per project integration is now $30k

Google sweetened the potential pot to $30,000 for bug hunters in its open source OSS-Fuzz code testing project.

On Wednesday, Google increased bounties for fuzzing coverage projects (up to $5,000 per project), and added rewards for some FuzzBench integrations. For the latter, contributors can claim a prize up to $11,337 for such integrations "that show significant improvement over existing fuzzers."

Additionally, researchers can earn money for integrating new sanitizers into OSS-Fuzz. The new sanitizers must find at least two legit vulnerabilities in an open source project, and the max payout for this new rewards category is also $11,337.

"These changes boost the total rewards possible per project integration from a maximum of $20,000 to $30,000 (depending on the criticality of the project)," Google Oliver Chang explained in a blog about the updates.

Fuzz testing, or fuzzing, is an automated software method that involves injecting random or semi-random data into the software to detect bugs. If something crops up, it can be worth investigating. Google's rewards program uses OSS-Fuzz: a free service that continuously tests code in some 700 open-source projects that the search giant developed in 2016 in response to the Heartbleed vulnerability issue. 

A year later, the ad giant established the OSS-Fuzz Reward Program. Since then, the bug-bounty efforts have helped fix more than 8,800 vulnerabilities and 28,000 bugs across 850 projects, we're told.

Last summer, the fuzzing service spotted a serious flaw in the TinyGLTF project, a library that relies on the C library function wordexp() for file path expansion on untrusted paths from an input file.

Over the years, the program has paid out $600,000 to more than 65 contributors who helped integrate new projects into OSS-Fuzz. 

OSS-Fuzz's language offerings currently include  C/C++, Go, Rust, Java, Python, and Swift, and it will soon support JavaScript fuzzing through Jazzer.js.

Last year, Google launched the OpenSSF FuzzIntrospector tool and integrated it into OSS-Fuzz. 

"The FuzzIntrospector tool provides these insights by identifying complex code blocks that are blocked during fuzzing at runtime, as well as suggesting new fuzz targets that can be added," Chang said. "We've seen users successfully use this tool to improve the coverage of jsonnet, file, xpdf and bzip2, among others."

Bug hunters can use this tool to increase the coverage of a project and now receive a prize as part of the OSS-Fuzz Rewards update, Chang added.

OSS-Fuzz Rewards is part of Google's broader Patch Rewards Program that incentivizes finding and fixing security flaws in open source security. It's a good scheme for finding bugs and saves Google a fortune in bug hunting.

In total, all of Google's bug bounty programs paid out a record $8.7 million in vulnerability rewards in 2021, which is the most recent year for which these figures are available. ®

More about


Send us news

Other stories you might like