Fuzzing is an automated code-testing process that inserts random data into an application to see how it responds and surface any bugs that may exist. Until now, Google’s maximum payout for fuzz testing bugs was $20,000, but the company is significantly increasing it.
We’ve operated this successfully for the past 5 years, and to date, the OSS-Fuzz Reward Program has awarded over $600,000 to over 65 different contributors for their help integrating new projects into OSS-Fuzz.
These changes boost the total rewards possible per project integration from a maximum of 20,000 to 30,000 (depending on the criticality of the project). In addition, we’ve also established two new reward categories that reward wider improvements across all OSS-Fuzz projects, with up to $11,337 available per category.
The increase is good news for security researchers and bug testers, many of whom rely on bug bounties for their income.