The program has one rule, namely that the bugs must be identified using “fuzzing.”
Fuzzing, or fuzz testing, is a technique for identifying bugs by throwing random, invalid, or unexpected data as input into a program and analyzing the output for abnormalities.
Fuzzing rarely used to hunt bugs
The technique is broadly used inside big tech companies but rarely by security researchers working on their own as fuzzing is computationally expensive and usually requires access to vast and expensive cloud computing resources.
Security researchers working on their own usually don’t get paid until months after they filed a bug on public bug bounty platforms, and the payouts aren’t always guaranteed to cover any initial costs with renting large cloud computing resources to perform large-scale fuzzing operations.
In a blog post on Thursday, Google said it created this research grant to address this particular problem.
Google says it will analyze each submission and provide an answer to all applicants within two weeks. Approved projects can receive up to $5,000 in funding.
The funds will be provided as credits for Google Compute Engine, Google Cloud’s heavy computing infrastructure, to avoid the funds being misappropriated.
Open-source tool already available
This is a special pilot program that will run only from October 1, 2020, to October 1, 2021. The program has been named the Fuzzilli Research Grant after Google’s own Fuzzilli open-source fuzzing tool, which supports distributed fuzzing on GCE and which Google encourages researchers to use.
Google said that all bugs identified during the pilot program must be reported to affected vendors. Researchers can keep additional bug bounty payouts for the bugs they find during the pilot program.
They have a central role in a browser, and as a result, are likely to be attacked by threat actors.
Additional program rules are here.