OSS-Fuzz has found numerous security vulnerabilities in several critical open
source projects: 10
in FreeType2, 17
in FFmpeg, 33
in LibreOffice, 8
in SQLite 3, 10
in GnuTLS, 25
in PCRE2, 9
in gRPC, and 7
in Wireshark. We've also had at least one bug collision with another independent
security researcher (CVE-2017-2801). (Some of
the bugs are still view-restricted so links may show smaller numbers.)
Once a project is integrated into OSS-Fuzz, the continuous and automated nature
of OSS-Fuzz means that we often catch these issues just hours after the
regression is introduced into the upstream repository, so that the chances of
users being affected is reduced.
Fuzzing not only finds memory safety related bugs, it can also find correctness
or logic bugs. One example is a carry propagating bug in OpenSSL (CVE-2017-3732).
Finally, OSS-Fuzz has reported over 300 timeout
and out-of-memory failures (~75% of which got fixed). Not every project
treats these as bugs, but fixing them enables OSS-Fuzz to find more interesting
bugs.
Announcing rewards for open source projects
We believe that user and internet security as a whole can benefit greatly if
more open source projects include fuzzing in their development process. To this
end, we'd like to encourage more projects to participate and adopt the ideal
integration guidelines that we've established.
Combined with fixing all the issues that are found, this is often a significant
amount of work for developers who may be working on an open source project in
their spare time. To support these projects, we are expanding our existing Patch Rewards
program to include rewards for the integration of fuzz
targets into OSS-Fuzz.
To qualify for these rewards, a project needs to have a large user base and/or
be critical to global IT infrastructure. Eligible projects will receive $1,000
for initial integration, and up to $20,000 for ideal integration (the final
amount is at our discretion). You have the option of donating these rewards to
charity instead, and Google will double the amount.
To qualify for the ideal integration reward, projects must show that:
Fuzz targets are checked into their upstream repository and integrated in
the build system with sanitizer support (up to
$5,000).
Fuzz targets are efficient
and provide good code coverage (>80%) (up to $5,000).
Fuzz targets are part of the official upstream development and regression
testing process, i.e. they are maintained, run against old known crashers and
the periodically updated corpora
(up to $5,000).
The last $5,000 is a "l33t"
bonus that we may reward at our discretion for projects that we feel have gone
the extra mile or done something really awesome.
We've already started to contact the first round of projects that are eligible
for the initial reward. If you are the maintainer or point of contact for one of
these projects, you may also reach out to us
in order to apply for our ideal integration rewards.
The future
We'd like to thank the existing contributors who integrated their projects and
fixed countless bugs. We hope to see more projects integrated into OSS-Fuzz, and
greater adoption of fuzzing as standard practice when developing software.
