In the last five months, Google’s OSS-Fuzz program has unearthed over 1,000 bugs in 47 open source software projects, and it’s ready to integrate even more of them.

Fuzzing open source

Software flaws can end up creating security vulnerabilities, and undermine the security of the open source foundation of many apps, sites, services, and networked things.

Launched in December 2016, OSS-Fuzz aims to provide continuous fuzzing for select core open source software.

“OSS-Fuzz’s goal is to make common software infrastructure more secure and stable by combining modern fuzzing techniques with scalable distributed execution,” Google explained.

“OSS-Fuzz combines various fuzzing engines (initially, libFuzzer) with Sanitizers (initially, AddressSanitizer) and provides a massive distributed execution environment powered by ClusterFuzz.”

The program has been a success

So far, OSS-Fuzz has found a total of 264 potential security vulnerabilities: 7 in Wireshark, 33 in LibreOffice, 8 in SQLite 3, 17 in FFmpeg – and the list goes on.

“Fuzzing not only finds memory safety related bugs, it can also find correctness or logic bugs,” Google’s engineers noted.

“Once a project is integrated into OSS-Fuzz, the continuous and automated nature of OSS-Fuzz means that we often catch these issues just hours after the regression is introduced into the upstream repository, before any users are affected.”

Pushing for greater adoption of fuzzing in software development

Google wants even more open source projects to reap the benefit of fuzzing, and has put out a call for more projects to participate in the program. This time, though, there’s added incentive.

“Combined with fixing all the issues that are found, this is often a significant amount of work for developers who may be working on an open source project in their spare time. To support these projects, we are expanding our existing Patch Rewards program to include rewards for the integration of fuzz targets into OSS-Fuzz.”

For now, only software projects that have large user base and/or are critical to global IT infrastructure need apply, and they can rack up to $20,000, depending on the “quality” of their fuzz targets.