Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

all: oss-fuzz integration #30474

guidovranken opened this issue Feb 28, 2019 · 3 comments

all: oss-fuzz integration #30474

guidovranken opened this issue Feb 28, 2019 · 3 comments


Copy link

@guidovranken guidovranken commented Feb 28, 2019

We are working on an oss-fuzz project to fuzz Go's internal libraries: google/oss-fuzz#2188

Is the Go dev team interested in receiving automated bug reports?

For my other oss-fuzz project that fuzzes Go, bignum-fuzzer, is configured to receive reports. Should I use that same address for this project?


Copy link

@bcmills bcmills commented Feb 28, 2019

Can you configure it to file GitHub issues directly? That seems preferable to a mailing list.

CC @golang/osp-team

@bcmills bcmills added this to the Unreleased milestone Feb 28, 2019
Copy link

@bradfitz bradfitz commented Feb 28, 2019

Please don't mail, even if one might argue that many fuzz bugs are somehow security bugs. We don't want alert fatigue there. (Yes, one might argue if we fix all our fuzz issues there would be no alerts or fatigue)

But as Bryan said, GitHub would be best. If that's too hard we can create a separate mailing list just for this.

Copy link

@FiloSottile FiloSottile commented Feb 28, 2019

First, this is awesome, oss-fuzz was on my list for the next quarter.

I agree GitHub issues would be best. I'd only make an exception for the crypto packages (crypto/... and, which should go to security@. I can think of multiple fuzzed security issues there over the years.

I'll join the google/oss-fuzz#2188 thread after reading how the integration works, as I'd be happy to maintain and expand the fuzzers for the crypto code in particular. Also, I know of another effort by @mmcloughlin which we should probably merge.

@FiloSottile FiloSottile changed the title Go internal library oss-fuzz integration all: oss-fuzz integration Feb 28, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
4 participants