OSS-Fuzz Reward Program Rules

OSS-Fuzz is a free fuzzing platform for critical open source projects. It aims to make common open source software more secure and stable by combining modern fuzzing techniques with scalable, distributed execution.

There are several ways to get rewarded for contributing to OSS-Fuzz, such as integrating new projects, improving existing projects, or adding ways to find new classes of vulnerabilities.

Qualifying submissions & reward amounts

Fuzzing integration

Type Reward & Criteria
OSS-Fuzz initial integration Up to $5,000

Fuzz targets need to be checked into their upstream repository and integrated into the build system with sanitizer support.

Projects are accepted by the OSS-Fuzz team based on their criticality, e.g. >=0.7 criticality score or if they are used as part of critical infrastructure and/or have a large user base.

Submission requirement: Links to commits/PRs showing both the upstream and OSS-Fuzz integration.
Ideal fuzzing integration Up to $15,000, based on the following criteria:
  • The upstream development process has CIFuzz enabled to fuzz all pull requests.
  • The fuzzing coverage is at least 50% across the entire project, and targets are efficient.
  • At least 2 reported bugs are fixed.
  • Discretion bonus to recognize outstanding work.
Submission requirement: Links to commits/PRs, coverage reports, and bugs.

Fuzzing coverage

Type Reward & Criteria
Line coverage improvements in any OSS-Fuzz integrated project Up to $5,000 for a single project (up to $1,000 per 10% increase).

Submission requirement: Links to commits/PRs making the improvement, and links to historical OSS-Fuzz coverage reports showing improvements.
FuzzIntrospector (Call tree coverage/coloring) improvements Up to $5,000 for a single project, based on the following criteria:
  • 10% increase in non-zero callsite buckets: up to $1,000
  • Increasing the number of (statically) reached functions/complexity by 10%: Up to $1,000
Submission requirement: Links to commits/PRs making the improvement, and links to historical FuzzIntrospector reports showing improvements.
FuzzBench integration reward Up to $11,337 for any FuzzBench fuzzer integrations that show significant improvement over existing fuzzers.

Submissions are evaluated case by case and at the discretion of FuzzBench maintainers. Results will be validated against a different set of benchmarks than the public ones.

Submission requirement: Links to commits/PRs showing the integration, experiment reports, a paper describing the techniques used in the fuzzer.

Vulnerabilities

Type Reward & Criteria
Integrating a new sanitizer into OSS-Fuzz Up to $11,337

The new sanitizer needs to find at least 2 real vulnerabilities in a project integrated into OSS-Fuzz.

Submission requirement: Links to commits/PRs integrating the sanitizers, and links to bugs found.
Finding a critical vulnerability that has widespread impact as a result of fuzzing integration. Up to $11,337

This vulnerability needs to have a direct exploitable impact on a large user base.

Submission requirement: Links to fuzzing integration work, OSS-Fuzz bugs found, justification of impact.

Submitting to the program

All OSS-Fuzz submissions should be reported using this form.

We are unable to receive reports and/or issue rewards to individuals or entities that are on sanctions lists, or who are in territories subject to sanctions (e.g., Cuba, Iran, North Korea, Syria, Crimea, and the so-called Donetsk People's Republic and Luhansk People's Republic). Additionally, due to administrative difficulties, we no longer issue rewards to individuals or entities located in Russia.

You are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to enter the program depending upon your local law.

This is not a competition, but rather an experimental and discretionary rewards program. You should understand that we can cancel the program at any time and the decision as to whether or not to pay a reward has to be entirely at our discretion.

Your testing must not violate any law, or disrupt or compromise any data that is not your own.

To avoid potential conflicts of interest, we will not grant rewards to people employed by Google or Google Partner companies who develop software covered by this program.