14 DAY TRIAL // In the past five months, after Google announced OSS-Fuzz, a tool to sniff out bugs in open-source projects, the company managed to find over 1,000 bugs, 264 of which are potential security vulnerabilities.
Google's team has been working hard, processing 10 trillion test inputs a day. 47 projects have already integrated the Fuzz, leading to the discovery of over a thousand bugs.
"OSS-Fuzz has found numerous security vulnerabilities in several critical open source projects: 10 in FreeType2, 17 in FFMpeg, 33 in LibreOffice, 8 in SQLite 3, 10 in GnuTLS, 25 in PCRE2, 9 in gRPC, and 7 in Wireshark. We’ve also had at least one bug collision with another independent security researcher (CVE-2017-2801)," Google said.
According to the company, once a project is integrated into OSS-Fuzz, the continuous and automated nature of OSS-Fuzz means that they often catch these issues just hours after the regression is introduced into the upstream repository, so that the chances of users being affected is reduced.
Fuzzing helps find memory safety related bugs, but also correctness or logic bugs.
Google adds that OSS-Fuzz has reported over 300 timeout and out-of-memory failures, three-quarters out of which got fixed.
More cash rewards
To make things more interesting from here on out, Google is introducing rewards for open source projects. In order to encourage more projects to participate and adopt the ideal integration guidelines they've established, the Patch Rewards program is going to get expanded to include those who choose to integrate fuzz targets into OSS-Fuzz.
"Eligible projects will receive $1,000 for initial integration, and up to $20,000 for ideal integration (the final amount is at our discretion). You have the option of donating these rewards to charity instead, and Google will double the amount," the company notes.
In order to qualify for ideal integration rewards, projects must show that fuzz targets are checked into the upstream repository and integrated in the build system with sanitizer support, that they're efficient and provide good code coverage (over 80%), and that they are part of the official upstream development and regression testing process. For each of these steps, projects will be rewarded $5,000, with the last $5,000 to be rewarded at Google's discretion for projects they feel have gone the extra mile.