2 min

They’ve increased the rewards for their OSS-Fuzz code testing project, making the top prize a hefty $30,000. On Wednesday, the company kicked things up a notch by adding some sweet incentives for fuzzing coverage projects.

You could earn up to $5,000 per project and even more for top-notch FuzzBench integrations – a whopping $11,337, to be exact. And if you’re a tinkerer at heart, you can make some money by integrating new sanitizers into OSS-Fuzz. All you have to do is find two legitimate vulnerabilities in an open-source project, and you could be looking at a maximum payout of $11,337.

The program is going strong

Fuzz testing, or fuzzing, automatically checks software for bugs by injecting random data. Google uses OSS-Fuzz to do this, which tests code in around 700 open-source projects. The OSS-Fuzz Reward Program has been finding and fixing bugs since 2017, and since then, it’s helped fix over 8,800 vulnerabilities and 28,000 bugs across 850 projects.

Last year, the OSS-Fuzz service uncovered a severe flaw in the TinyGLTF project, which relied on the C library function wordexp() for file path expansion. To date, the program has paid out $600,000 to over 65 contributors who helped integrate new projects into OSS-Fuzz. OSS-Fuzz currently supports C/C++, Go, Rust, Java, Python, and Swift and will soon include JavaScript fuzzing through Jazzer.js.

Google also launched the OpenSSF FuzzIntrospector tool

The tool provides insights into complex code blocks blocked during fuzzing and suggests new fuzz targets for improvement. Bug hunters can use this tool to increase the coverage of a project and now receive a reward as part of the OSS-Fuzz Rewards update.

Google’s OSS-Fuzz Rewards is part of the company’s broader Patch Rewards Program, which incentivizes discovering and fixing security flaws in open-source software. This program benefits both parties, as it helps find bugs and saves Google a lot of money. In 2021, Google’s bug bounty programs paid a total of $8.7 million in rewards, a record amount.

With a maximum payout of $30,000, it’s a lucrative opportunity to contribute to open-source software while also boosting your skills and experience.

TIP: Google releases ClusterFuzzLite for CI/CD workflows.