Google’s OSS-Fuzz Finds 1,000 Open Source Bugs

[RV_]

Apparently Google is getting some big results from a first time effort, discovering vulnerabilities and issues in open source. As well they are able to help folks who are writing code for open source projects.

 

Excerpt:

"The numbers are in — and judging by them, OSS-Fuzz, the program Google unveiled last December to continuously fuzz open source software, has been a success.

In five months time the effort has unearthed over 1,000 bugs, a quarter of them potential security vulnerabilities, Google says.

OSS-Fuzz, still in beta mode, is built on fuzzing engineers like libFuzzer, sanitizers, Address Sanitizer, and a distributed fuzzing architecture that catalogs statistics as they pop up. The project was one of two Google unveiled last December. It also released Project Wycheproof, a collection of unit tests designed to help cryptographers check for weaknesses in cryptographic algorithms.

Engineers behind the platform – Oliver Chang and Abhishek Arya with Chrome Security, Kostya Serebryany, software Engineer with Dynamic Tools, and Josh Armour, a Security Program Manager with Google – wrote a blog post to fill the public in on the last five months on Monday.

While it can’t disclose all of the bugs – some are still restricted – Google says the project has helped find bugs in all types of open source software, including 10 bugs in FreeType2, 17 in FFmpeg, 33 in LibreOffice, eight in SQLite 3, 10 inGnuTLS, 25 in PCRE2, nine in gRPC, and seven in WireShark.

While the statistics behind OSS-Fuzz are positive news, Google also said something else that should put a smile on developers’ faces. The engineers said the company wants to help developers behind some of the open source projects, many which operate on a shoestring budget, better fund their projects."

More here in the original article here:

https://threatpost.com/googles-oss-fuzz-finds-1000-open-source-bugs/125545/