all: oss-fuzz integration

[guidovranken]

We are working on an oss-fuzz project to fuzz Go's internal libraries: google/oss-fuzz#2188

Is the Go dev team interested in receiving automated bug reports?

For my other oss-fuzz project that fuzzes Go, bignum-fuzzer, security@golang.org is configured to receive reports. Should I use that same address for this project?

Thanks

[bcmills]

Can you configure it to file GitHub issues directly? That seems preferable to a mailing list.

CC @golang/osp-team

[bradfitz]

Please don't mail security@golang.org, even if one might argue that many fuzz bugs are somehow security bugs. We don't want alert fatigue there. (Yes, one might argue if we fix all our fuzz issues there would be no alerts or fatigue)

But as Bryan said, GitHub would be best. If that's too hard we can create a separate mailing list just for this.

[FiloSottile]

First, this is awesome, oss-fuzz was on my list for the next quarter.

I agree GitHub issues would be best. I'd only make an exception for the crypto packages (crypto/... and golang.org/x/crypto/...), which should go to security@. I can think of multiple fuzzed security issues there over the years.

I'll join the google/oss-fuzz#2188 thread after reading how the integration works, as I'd be happy to maintain and expand the fuzzers for the crypto code in particular. Also, I know of another effort by @mmcloughlin which we should probably merge.