Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.
Sign upAbility to restritct how up to date the public corpus is #35
Comments
|
Sounds interesting. moved to internal task list |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
As I understand it, the public corpus is updated frequently (every hour), but it never contains unfixed crashes.
This is okay, but not great for security-sensitive projects like open source libraries. If a bad actor assumes that a crash is unfixed, they could download the latest corpus and fuzz for an hour or two, and likely find the same crash case.
I think a reasonable way to resolve this would be to make it more difficult for the bad actors. After all, they can always fuzz from scratch, but we still want legitimate users to be able to get a useful corpus.
For example, how about making it so that public corpuses are out of date by a number of days? This could be 30 days, for example. This could be made public when a user downloads the corpus. Regression tests would still be almost as useful, yet it would likely take days or weeks of fuzzing for anyone to dig up unfixed crashes, leaving more time for the maintainer to take action.
I think this could be configurable, but forcing a default like 30 days would also be fine with me.