Join GitHub today
all: oss-fuzz integration #30474
We are working on an oss-fuzz project to fuzz Go's internal libraries: google/oss-fuzz#2188
Is the Go dev team interested in receiving automated bug reports?
For my other oss-fuzz project that fuzzes Go, bignum-fuzzer, email@example.com is configured to receive reports. Should I use that same address for this project?
Please don't mail firstname.lastname@example.org, even if one might argue that many fuzz bugs are somehow security bugs. We don't want alert fatigue there. (Yes, one might argue if we fix all our fuzz issues there would be no alerts or fatigue)
But as Bryan said, GitHub would be best. If that's too hard we can create a separate mailing list just for this.
First, this is awesome, oss-fuzz was on my list for the next quarter.
I agree GitHub issues would be best. I'd only make an exception for the crypto packages (crypto/... and golang.org/x/crypto/...), which should go to security@. I can think of multiple fuzzed security issues there over the years.
I'll join the google/oss-fuzz#2188 thread after reading how the integration works, as I'd be happy to maintain and expand the fuzzers for the crypto code in particular. Also, I know of another effort by @mmcloughlin which we should probably merge.