At the end of last year, Google announced OSS-Fuzz, an open source threat detection tool focused on making open source applications and platforms more secure and stable. The tool itself is open and available on GitHub, and there are now solid numbers showing that this security tool has made a remarkable difference for some well-known open source projects.
By the Numbers
According to Google developers, Fuzz has found more than 1,000 bugs (264 of which are potential security vulnerabilities) in widely used open source projects, some of them major. The bugs have been uncovered in projects ranging from LibreOffice to WireShark, and Google notes the following:
“We believe that user and internet security as a whole can benefit greatly if more open source projects include fuzzing in their development process. To this end, we’d like to encourage more projects to participate and adopt the ideal integration guidelines that we’ve established.”
Once an open source project is integrated with OSS-Fuzz, it does continuous and automated scanning so that it can reveal problems only hours after changes go into an upstream repository, before any users are affected.
Google reports: “OSS-Fuzz has found numerous security vulnerabilities in several critical open source projects: 10 in FreeType2, 17 in FFmpeg, 33 in LibreOffice, 8 in SQLite 3, 10 in GnuTLS, 25 in PCRE2, 9 in gRPC, and 7 in Wireshark, etc. We’ve also had at least one bug collision with another independent security researcher (CVE-2017-2801).”