Integrating with OSS-Fuzz

Question

Integrating with OSS-Fuzz

Google-Autofuzz opened this issue 5 years ago · comments

Google AutoFuzz Team commented 5 years ago

Greetings uriparser developers and contributors,

We’re reaching out because your project is an important part of the open source ecosystem, and we’d like to invite you to integrate with our fuzzing service, OSS-Fuzz. OSS-Fuzz is a free fuzzing infrastructure you can use to identify security vulnerabilities and stability bugs in your project. OSS-Fuzz will:

Continuously run at scale all the fuzzers you write.
Alert you when it finds issues.
Automatically close issues after they’ve been fixed by a commit.

Many widely used open source projects like OpenSSL, FFmpeg, LibreOffice, and ImageMagick are fuzzing via OSS-Fuzz, which helps them find and remediate critical issues.

Even though typical integrations can be done in < 100 LoC, we have a reward program in place which aims to recognize folks who are not just contributing to open source, but are also working hard to make it more secure.

We want to stress that anyone who meets the eligibility criteria and integrates a project with OSS-Fuzz is eligible for a reward.

To help you getting started, we can attach our internal fuzzer for your project that you are welcome to use directly, or to use it as a starting point.

If you're not interested in integrating with OSS-Fuzz, it would be helpful for us to understand why—lack of interest, lack of time, or something else—so we can better support projects like yours in the future.

If we’ve missed your question in our FAQ, feel free to reply or reach out to us at oss-fuzz-outreach@googlegroups.com.

Thanks!

Tommy
OSS-Fuzz Team

Sebastian Pipping · Answer 1 · Tue Dec 17 2019 04:49:35 GMT+0800 (China Standard Time)

I'm afraid I won't have time to work on this matter myself in the upcoming weeks.

Google AutoFuzz Team · Answer 2 · Wed Jan 29 2020 23:36:38 GMT+0800 (China Standard Time)

We can help you initiate the integration to OSS-Fuzz. We just need a google email address that you want the bugs to be reported to. After this initial integration, you can add more fuzzers when you have the time. @hartwork

Google AutoFuzz Team · Answer 3 · Thu Mar 19 2020 03:00:56 GMT+0800 (China Standard Time)

Hi, we have a few fuzz targets interanlly that we can use to upstream uriparser to OSS-Fuzz. Since you are interested in upstreaming to OSS-Fuzz, can you provide us a working email address that we can send bugs to if there are any. It will be best to provide a google email address. Thank you. @hartwork

Sebastian Pipping · Answer 4 · Tue Mar 24 2020 03:49:11 GMT+0800 (China Standard Time)

can you provide us a working email address that we can send bugs to if there are any.

Hi! Please use the hartwork.org one that I'm using with oss-fuzz for auto_ccs on libexpat, line 6 in google/oss-fuzz@9e2f041#diff-7b0830aa2831adbdc07e68f2c30a6982 . Does that work for you?

Google AutoFuzz Team · Answer 5 · Tue Mar 24 2020 04:06:35 GMT+0800 (China Standard Time)

Yes, I can update that. Will use "webmaster@hartwork.org" as the primary email address.

Sebastian Pipping · Answer 6 · Fri Apr 03 2020 02:24:39 GMT+0800 (China Standard Time)

Note to self: google/oss-fuzz#3524 and google/oss-fuzz#4134