AutoFuzz Patch Rewards

Help us make the Internet a safer place for everyone!

At Google, we operate several fuzzers which continuously discover bugs in Open Source Software (OSS). We triage and report these bugs to the upstream maintainers to fix.

As of March 2018, bugs reported in OSS are now eligible for a patch reward (similar to the Patch Rewards Program we have been running for years). This means maintainers can get a reward from Google for responding to security bugs in their projects. In the rare case where a bug has been reported upstream for over 90 days and is not yet fixed, we will now allow anyone (not just the maintainers) to submit a fix and get a reward.

Remediation process

So how exactly can you help us?

Maintainers:

  1. Look for bug reports from Google in your project's bug tracker
  2. When you see one, file a CVE (see details here).
  3. Submit a patch and note it in the bug.
  4. Write any regression tests (if applicable)
  5. Attach everything (patch, tests, CVE, log of proof of concept, etc) to the bug in your tracker
  6. Once we have received all your artifacts and our fuzzers confirm the bug as fixed, we will issue your reward

Anyone interested in Patch Rewards:

  1. Browse the AutoFuzz Patch Rewards component in issuetracker.google.com and pick a bug you would like to fix
  2. Add a comment to the bug saying 'I would like to fix this bug'
  3. File a CVE (see details here)
  4. Write your patch (for some of the bugs, we have already included a patch)
  5. Write your tests (if applicable)
  6. Submit everything to the upstream maintainer
  7. Once your fix has been accepted by the upstream maintainer, attach everything (patch, tests, CVE, log of proof of concept, etc) to the bug in issuetracker.google.com
  8. Once we have received all your artifacts and our fuzzers confirm the bug as fixed, we will issue your reward

Questions? Send us an email at autofuzz-patch-reward@google.com.

Bugs in scope

In scope are all security bugs found by our fuzzers which are either:

Reward amounts

The reward amount for each fix is listed in the bug (either in the upstream maintainer's bug tracker or in the AutoFuzz Patch Rewards component in issuetracker.google.com).

The amounts will vary depending on several criteria such as whether a patch has been supplied by Google, whether tests and CVEs are submitted, etc.

For those of you who prefer to give your patch reward to charity, we offer the option to donate it to a recognized charitable organization. If you do so, we will match your donation - at our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing.

Frequently asked questions

Q: What if somebody else also fixed the same bug?

A: The early bird gets the worm. You will qualify for a reward only if you were the first person to fix the bug.

Q: How will I get paid?

A: You will be paid through our established VRP payments process. You will need to register as a vendor with us and we will transfer the reward to a bank account of yours. See here for more information.

Q: Can I donate my reward to charity?

A: Certainly! We will even double your reward when you do so. Just let us know that you would like to donate when you submit all your artifacts for reward.

Q: Which charities can I donate to?

A: We are working with an external provider who vets charities for us. If you are unsure whether your favorite charity is eligible, contact us for confirmation.

Legal points

We are unable to issue rewards to individuals who are on sanctions lists, or who are in countries on sanctions lists (e.g. Cuba, Iran, North Korea, Sudan and Syria). You are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to enter depending upon your local law.

This is not a competition, but rather an experimental and discretionary rewards program. You should understand that we can cancel the program at any time and the decision as to whether or not to pay a reward has to be entirely at our discretion.

Of course, your testing must not violate any law, or disrupt or compromise any data that is not your own.