>> or twice that amount ($40K), if the proceeds are donated to a charity.
1) Create some horribly insecure OSS software 2) Set up charity, make self "director", limit payouts to cause to under 5%, set director fees to around 90% 3) Integrate Google fuzz, report self and payout to, er, "charity" 4) PROFIT!
Isn't it interesting how it takes a multi-billion dollar closed-source development company to clean up the security messes left by open source software?
Isn't it interesting how it takes an unpaid outfit to expose the hacks of a multi-billion dollar closed state-sponsored terrorist agency taking advantage of the security messes of multi-billlion dollar closed source development companies?
The SQLite developers were also surprised by how many bugs OSS-Fuzz (and American Fuzzy Lop [coredump.cx]) have found in SQLite.
The best explanation I have is that OSS-Fuzz and AFL are exploring extreme corner-cases of the code where human-generated tests would never think to go. Fuzzing is great for finding bugs that involve totally unreasonable inputs that never happen in actual practice and which can only appear as part of a deliberate attack. Fuzzing has not found any bugs that would impact the day-to-day use of
1) Create some horribly insecure OSS software
2) Set up charity, make self "director", limit payouts to cause to under 5%, set director fees to around 90%
3) Integrate Google fuzz, report self and payout to, er, "charity"
4) PROFIT!
From TFA (in case anyone was wondering about the criteria):
"To qualify for these rewards, a project needs to have a large user base and/or be critical to global IT infrastructure."
Isn't it interesting how it takes a multi-billion dollar closed-source development company to clean up the security messes left by open source software?
Isn't it interesting how it takes an unpaid outfit to expose the hacks of a multi-billion dollar closed state-sponsored terrorist agency taking advantage of the security messes of multi-billlion dollar closed source development companies?
The SQLite developers were also surprised by how many bugs OSS-Fuzz (and American Fuzzy Lop [coredump.cx]) have found in SQLite.
The best explanation I have is that OSS-Fuzz and AFL are exploring extreme corner-cases of the code where human-generated tests would never think to go. Fuzzing is great for finding bugs that involve totally unreasonable inputs that never happen in actual practice and which can only appear as part of a deliberate attack. Fuzzing has not found any bugs that would impact the day-to-day use of