ForAllSecure is offering $1,000 for anyone to integrate its AI-powered fuzzer Mayhem into open-source projects — whether they are the project's maintainer or not.
"This is, I guess, just a thesis difference we have [with other CI/CD security incentive programs]. We believe that everyone should be able to check the security, the software that they're going to run, not just the developers," said David Brumley, chief executive and co-founder of ForAllSecure. "The developer is who probably should patch, but everyone should be able to do that risk assessment."
The program, named Mayhem Heroes, will offer a reward to forks of a reasonably popular open-source project implementing the free version of Mayhem. Terms of the bounty include that the original cluster needs 100 stars or more to qualify.
ForAllSecure debuted its free version of Mayhem last month.
Open-source supply chains has come under scrutiny in the past year after Log4j and a series of vulnerabilities intentionally introduced as a form of protest: Colors, Faker and Node-ipc. While experts regularly caution against painting open source with a broad brush — vulnerabilities happen in commercial packages and well maintained open source is generally considered trustworthy — they present chokepoints where a problem can have massive downstream effects.
"We're getting actually the most excitement from downstream users," said Brumley of Mayhem Heroes, though he said support from developers he had spoken to was also robust. "We reached out to automotive manufacturers, and said, 'Hey, look, here's stuff that you're putting in your cars, for example. It's open source.' You've never tested now it can be tested for free and benefit not just the developer, but also companies like yourself."