Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

all: oss-fuzz integration #30474

Open
guidovranken opened this issue Feb 28, 2019 · 3 comments

Comments

@guidovranken
Copy link

commented Feb 28, 2019

We are working on an oss-fuzz project to fuzz Go's internal libraries: google/oss-fuzz#2188

Is the Go dev team interested in receiving automated bug reports?

For my other oss-fuzz project that fuzzes Go, bignum-fuzzer, security@golang.org is configured to receive reports. Should I use that same address for this project?

Thanks

@bcmills

This comment has been minimized.

Copy link
Member

commented Feb 28, 2019

Can you configure it to file GitHub issues directly? That seems preferable to a mailing list.

CC @golang/osp-team

@bcmills bcmills added this to the Unreleased milestone Feb 28, 2019

@bradfitz

This comment has been minimized.

Copy link
Member

commented Feb 28, 2019

Please don't mail security@golang.org, even if one might argue that many fuzz bugs are somehow security bugs. We don't want alert fatigue there. (Yes, one might argue if we fix all our fuzz issues there would be no alerts or fatigue)

But as Bryan said, GitHub would be best. If that's too hard we can create a separate mailing list just for this.

@FiloSottile

This comment has been minimized.

Copy link
Member

commented Feb 28, 2019

First, this is awesome, oss-fuzz was on my list for the next quarter.

I agree GitHub issues would be best. I'd only make an exception for the crypto packages (crypto/... and golang.org/x/crypto/...), which should go to security@. I can think of multiple fuzzed security issues there over the years.

I'll join the google/oss-fuzz#2188 thread after reading how the integration works, as I'd be happy to maintain and expand the fuzzers for the crypto code in particular. Also, I know of another effort by @mmcloughlin which we should probably merge.

@FiloSottile FiloSottile changed the title Go internal library oss-fuzz integration all: oss-fuzz integration Feb 28, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
4 participants
You can’t perform that action at this time.