OSS-Fuzz Reward Program Rules
OSS-Fuzz is a free fuzzing platform for critical open source projects. It aims to make common open source software more secure and stable by combining modern fuzzing techniques with scalable, distributed execution.
There are several ways to get rewarded for contributing to OSS-Fuzz, such as integrating new projects, improving existing projects, or adding ways to find new classes of vulnerabilities.
Qualifying submissions & reward amounts
Fuzzing integration
Type | Reward & Criteria |
---|---|
OSS-Fuzz initial integration | Up to $5,000
Fuzz targets need to be checked into their upstream repository and integrated into the build system with sanitizer support. Projects are accepted by the OSS-Fuzz team based on their criticality, e.g. >=0.7 criticality score or if they are used as part of critical infrastructure and/or have a large user base. Submission requirement: Links to commits/PRs showing both the upstream and OSS-Fuzz integration. |
Ideal fuzzing integration | Up to $15,000, based on the following criteria:
|
Fuzzing coverage
Type | Reward & Criteria |
---|---|
Line coverage improvements in any OSS-Fuzz integrated project | Up to $5,000 for a single project (up to $1,000 per 10% increase).
Submission requirement: Links to commits/PRs making the improvement, and links to historical OSS-Fuzz coverage reports showing improvements. |
FuzzIntrospector (Call tree coverage/coloring) improvements | Up to $5,000 for a single project, based on the following criteria:
|
FuzzBench integration reward | Up to $11,337 for any FuzzBench fuzzer integrations that show significant improvement over existing fuzzers.
Submissions are evaluated case by case and at the discretion of FuzzBench maintainers. Results will be validated against a different set of benchmarks than the public ones. Submission requirement: Links to commits/PRs showing the integration, experiment reports, a paper describing the techniques used in the fuzzer. |
Vulnerabilities
Type | Reward & Criteria |
---|---|
Integrating a new sanitizer into OSS-Fuzz | Up to $11,337
The new sanitizer needs to find at least 2 real vulnerabilities in a project integrated into OSS-Fuzz. Submission requirement: Links to commits/PRs integrating the sanitizers, and links to bugs found. |
Finding a critical vulnerability that has widespread impact as a result of fuzzing integration. | Up to $11,337
This vulnerability needs to have a direct exploitable impact on a large user base. Submission requirement: Links to fuzzing integration work, OSS-Fuzz bugs found, justification of impact. |
Submitting to the program
All OSS-Fuzz submissions should be reported using this form.
Legal
We are unable to receive reports and/or issue rewards to individuals or entities that are on sanctions lists, or who are in territories subject to sanctions (e.g., Cuba, Iran, North Korea, Syria, Crimea, and the so-called Donetsk People's Republic and Luhansk People's Republic). Additionally, due to administrative difficulties, we no longer issue rewards to individuals or entities located in Russia.
You are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to enter the program depending upon your local law.
This is not a competition, but rather an experimental and discretionary rewards program. You should understand that we can cancel the program at any time and the decision as to whether or not to pay a reward has to be entirely at our discretion.
Your testing must not violate any law, or disrupt or compromise any data that is not your own.
To avoid potential conflicts of interest, we will not grant rewards to people employed by Google or Google Partner companies who develop software covered by this program.