The Complete Magazine on Open Source

Google launches OSS-Fuzz to improve open source developments

SHARE
/ 1871 0

Google OSS-Fuzz fuzz testing project

Supporting the community with a secure and stable experience, Google has launched OSS-Fuzz. The new beta project is aimed to enable “fuzz testing” of open source developments to reduce security vulnerabilities and logical bugs from software.

Google has been working with the “Core Infrastructure Initiative” community from the past few years to bring constant fuzzing for open source software. Fuzzing or simply known as fuzz testing triggers uncover errors by generating random inputs to a program. This is specifically of great use for open source projects that are available widely or are vital for the IT infrastructure globally.

“OSS-Fuzz’s goal is to make common software infrastructure more secure and stable by combining modern fuzzing techniques with scalable distributed execution,” writes Google’s testing team led by open research lead Meredith Whittaker, in a blog post.

The OSS-Fuzz project works with fuzzing engines and sanitizers to identify vulnerabilities in projects based on programming languages like C and C++. Google already tested the development on Chrome components and found several security issues and stability bugs. Moreover, the program has helped in reporting as many as 150 bugs from a large number of open source projects.

Developer contributions

Developers can contribute to OSS-Fuzz through GitHub and assist in fixing bugs from critical open source applications, libraries and APIs. There is also a way to submit for fuzz testing a project that has a significant user base or critical to the global IT infrastructure.

Google has developed a 90-day deadline for openly reporting issues from submitted open source projects. However, there is 14-day grace period if a certain schedule is notified for releasing the patch to the Google team.