Application security, Security Architecture

ForAllSecure offering $1K to integrate free fuzzer to open source projects

Researchers at Checkmarx reported a “high-severity” vulnerability in GitHub that could have let an attacker take control over a GitHub repository and potentially infect all applications and other code relying on it with malicious code. (“GitHub Office” by DASPRiD is marked with CC BY 2.0.”)

ForAllSecure is offering $1,000 for anyone to integrate its AI-powered fuzzer Mayhem into open-source projects — whether they are the project's maintainer or not.

"This is, I guess, just a thesis difference we have [with other CI/CD security incentive programs]. We believe that everyone should be able to check the security, the software that they're going to run, not just the developers," said David Brumley, chief executive and co-founder of ForAllSecure. "The developer is who probably should patch, but everyone should be able to do that risk assessment."

The program, named Mayhem Heroes, will offer a reward to forks of a reasonably popular open-source project implementing the free version of Mayhem. Terms of the bounty include that the original cluster needs 100 stars or more to qualify.

ForAllSecure debuted its free version of Mayhem last month.

Open-source supply chains has come under scrutiny in the past year after Log4j and a series of vulnerabilities intentionally introduced as a form of protest: Colors, Faker and Node-ipc. While experts regularly caution against painting open source with a broad brush — vulnerabilities happen in commercial packages and well maintained open source is generally considered trustworthy — they present chokepoints where a problem can have massive downstream effects.

"We're getting actually the most excitement from downstream users," said Brumley of Mayhem Heroes, though he said support from developers he had spoken to was also robust. "We reached out to automotive manufacturers, and said, 'Hey, look, here's stuff that you're putting in your cars, for example. It's open source.' You've never tested now it can be tested for free and benefit not just the developer, but also companies like yourself."

Joe Uchill

Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.