For the last five months, The Document Foundation, the non-profit organisation behind the popular free and open source LibreOffice productivity suite, has made use of OSS-Fuzz, Google’s effort to make open source software more secure and stable, to improve the quality and reliability of LibreOffice’s source code still further. Developers have used the continuous and automated fuzzing process, which often highlights problem just hours after they appear in the upstream code repository, to solve bugs – and potential security issues – before the next binary release.

LibreOffice 5.3.3 running on the author's Debian GNU/Linux laptop

LibreOffice 5.3.3 running on the author’s Debian GNU/Linux laptop

LibreOffice is the first free office suite in the marketplace to make use of Google’s OSS-Fuzz. The service, which is associated with other source code scanning tools such as Coverity, has been integrated into LibreOffice’s security processes – under the leadership of Red Hat – to improve the source code’s quality significantly.

According to Coverity Scan’s last report, LibreOffice has an industry leading defect density of 0.01 per 1,000 lines of code (based on 6,357,292 lines of code analysed on 15th May 2017). “We have been using OSS-Fuzz, like we use Coverity, to catch bugs – some of which may turn into security issues – before the release. So far, we have been able to solve all of the 33 bugs identified by OSS-Fuzz well in advance over the date of disclosure”, says Red Hat’s Caolán McNamara, a senior developer and LibreOffice’s security team leader.

Further information about Google OSS-Fuzz is available on the project’s GitHub homepage and on the Google Open Source Blog.