Posted by Samuel Groß, Project Zero
Project Zero’s mission is to make 0-day hard in order to improve end-user security. We attack this problem in different ways, including supporting other security researchers. While Google currently offers research grants, they are limited to academics and those affiliated with universities.
The proposal will be reviewed by an internal review board and, if accepted, the researchers will be awarded up to USD $5,000 in GCE credits per submission to be used for fuzzing.
All bugs found throughout the course of the project must be reported directly to the affected vendors. Researchers can claim full CVE credits and applicable bug bounties.
Custom, domain specific sanitizers such as WebKit’s does GC validation or bounds check elimination verification which can help detect bugs that would otherwise go unnoticed as they don’t immediately cause observable failures
Different high-level fuzzing approaches such as differential fuzzing
New code mutation or generation approaches that outperform existing ones
Targeted approaches to fuzz for variants of previously reported bugs
Applications can be submitted by filling out this form. Submissions are not limited to those in academia or those with a demonstrated track record of success - if you have a good idea in this space, we'd love to hear from you. Incoming submissions will be reviewed by a review board on a regular basis and we aim to respond to every submission within 2 weeks. If the project is accepted, the researchers may be awarded GCE credits worth up to USD $5,000. Researchers can also apply for multiple grants throughout the lifetime of a project. The grants come with the following requirements:
All vulnerabilities found must be only reported to the affected vendor. Researchers are encouraged to apply Project Zero’s 90-day disclosure policy. Researchers may claim any CVE credits and bug bounty payouts for reporting the bugs that don’t conflict with these requirements.
Any newly developed source code must be published under an open source license that permits further research by others.
An interim report for Google only at the conclusion of the fuzzing, to demonstrate the initial results of the research, so we can determine the efficacy of the research and make our folks in accounting happy.
Furthermore, a final report of some form (e.g. a conference paper, a blog post, or a standalone PDF) due no later than 6 months after the first grant for a project has been awarded, including:
A detailed explanation of the project
Basic statistics about which engines have been fuzzed for how long (CPU time, iterations, etc.)
A clear technical explanation of all vulnerabilities discovered throughout the project.
The pilot program will run for one year, from Oct 1, 2020 until Oct 1, 2021. Applications can be submitted at any time during this period, however, the program might end earlier if funds are exhausted.
This program is similar to Google Cloud research credits, though that program is limited to university affiliates. In contrast, this program is specifically designed to accept submissions from anyone.
We are unable to issue grants to individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists. You are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to enter depending upon your local law.
This is not a competition, but rather an experimental and discretionary grant program. You should understand that we can cancel the program at any time and the decision as to whether or not to award a grant is entirely at our discretion.
Of course, your testing must not violate any law, or disrupt or compromise any data that is not your own.