Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Integrating with OSS-Fuzz #424

Closed
Google-Autofuzz opened this issue Jul 5, 2019 · 3 comments
Closed

Integrating with OSS-Fuzz #424

Google-Autofuzz opened this issue Jul 5, 2019 · 3 comments

Comments

@Google-Autofuzz
Copy link

Greetings openexr developers and contributors,

We’re reaching out because your project is an important part of the open source ecosystem, and we’d like to invite you to integrate with our fuzzing service, OSS-Fuzz. OSS-Fuzz is a free fuzzing infrastructure you can use to identify security vulnerabilities and stability bugs in your project, like those ones. OSS-Fuzz will:
Continuously run all the fuzzers you write.
Alert you when it finds issues.
Automatically close issues after they’ve been fixed by a commit.

Many widely used open source projects like OpenSSL, FFmpeg, LibreOffice, and ImageMagick are fuzzing via OSS-Fuzz, which helps them find and remediate critical issues.

Even though typical integrations can be done in < 100 LoC, we have a reward program in place which aims to recognize folks who are not just contributing to open source, but are also working hard to make it more secure.

We want to stress that anyone who meets the eligibility criteria and integrates a project with OSS-Fuzz is eligible for a reward.

If you're not interested in integrating with OSS-Fuzz, it would be helpful for us to understand why—lack of interest, lack of time, or something else—so we can better support projects like yours in the future.

If we’ve missed your question in our FAQ, feel free to reply or reach out to us at oss-fuzz-outreach@googlegroups.com.

Thanks!

Julien,
OSS-Fuzz Team
@cary-ilm
Copy link
Member

cary-ilm commented Jul 8, 2019

We're interesting in finding out more information about the service. We'll contact you directly via email.

@cary-ilm
Copy link
Member

After discussing it further with the OpenEXR Technical Steering Committee, we've decided to rely on our own fuzz testing infrastructure rather than integrating with OSS-Fuzz.

@Google-Autofuzz
Copy link
Author

How is your fuzzing going?

We still have around two dozen crashes reproducing our the current master, and Samuel Groß from project zero found 8 exploitable issues in two weeks of fuzzing.

It seems that you refused OS-Fuzz integration because "we take security seriously and have invested in a fuzz test that we’d prefer to keep investing in".

I'm not sure I understand your position: you have some fuzzers, yet you don't want Google to run them for you?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cary-ilm @Google-Autofuzz