Product reviews, deals and the latest tech news

Google Boosts Open Source Incentives, Plans to Add Support for JavaScript Fuzzing

To encourage the discovery of vulnerabilities in open source software, Google has increased the incentive amount for the OSS-Fuzz Reward Program to $30,000.

Now that the programme has grown, the maximum payout for a single project integration has increased from $20,000 to $30,000.

The goal of OSS-Fuzz is to encourage the use of fuzz testing in open source projects, and the addition of new reward categories will encourage the development of further methods for integrating such projects.

Google has added two new kinds of rewards to OSS-Fuzz to encourage widespread improvements. It has a maximum of $11,337 in each price range. Furthermore, it is rewarding the incorporation of new sanitizers or “bug detectors” that aid in vulnerability discovery, as well as the inclusion of renowned FuzzBench fuzzers.

By bolstering incentives for security researchers and open source maintainers, the Google OSS-Fuzz team “hopes to speed the incorporation of essential open source projects into OSS-Fuzz,” says team member Oliver Chang.

According to Google, 850 open source projects have had over 8800 vulnerabilities and 28,000 problems resolved thanks to the efforts of OSS-Fuzz since 2016. Approximately 500 projects were included as of the end of the year 2021. These range from libraries utilised by many other open source projects to standalone applications for end users.

Researchers may use OSS-Fuzz, an online code testing service, to do “fuzzing,” an automated software testing technique for discovering vulnerabilities including programme crashes and memory leaks.

The Google OSS-Fuzz team has detailed the program’s plans for the next year. These include increased support for projects written in many languages.

This past September, for instance, OSS-Fuzz was used to find a critical flaw in the C++ library TinyGLTF. Before it was addressed, the vulnerability might have enabled attackers to execute code in programmes that relied on the library. While the library itself was developed in C++, Google highlighted at the time that the flaw might affect any programming language, which validated the company’s fuzzing method, which had previously only been employed on C and C++ code. Chromium, the Linux kernel, Windows, Android, and a plethora of other platforms are just a few examples.

In Google’s own words: Memory-safe languages like Go, Rust, Python, and Java are all supported by OSS-Fuzz, which is used to find bugs in these languages. Furthermore, OSS-Fuzz will soon feature support for JavaScript fuzzing using Jazzer.js thanks to collaboration with app security testing company Code Intelligence.

Support for C/C++, Python, and Java projects has been introduced to OSS-Fuzz, and Google has also incorporated OpenSSF’s FuzzIntrospector into OSS-Fuzz to learn how to increase OSS-efficiency Fuzz’s and scope.