Security News > 2022 > September > Google urges open source community to fuzz test code

Google's open source security team says OSS-Fuzz, its community fuzzing service, has helped fix more than 8,000 security vulnerabilities and 26,000 other bugs in open source projects since its 2016 debut.

The group would like to see open source developers do more fuzzing to make the world a better place, or at least make software a bit more secure.

Google launched OSS-Fuzz in 2016 in response to the Heartbleed vulnerability, a memory buffer overflow flaw that could have been detected by fuzz testing.

"At the time fuzzing was not widely used and was cumbersome for developers, requiring extensive manual effort," explain Jonathan Metzman and Dongge Liu, from Google's Open Source Security Team, in a blog post.

OSS-Fuzz currently checks some 700 critical open source projects for bugs and in July spotted a serious flaw in the TinyGLTF project, a library that relies on the C library function wordexp() for file path expansion on untrusted paths from an input file.

Metzman and Liu have encouraged those participating in the open source community to embrace fuzzing and have dangled the prospect of rewards.

News URL

https://go.theregister.com/feed/www.theregister.com/2022/09/08/google_fuzz_rewards/