OSS-Fuzz - Continuous Fuzzing for Open Source Software
Status: Beta. We are now accepting applications from widely used open source projects.
Create New Issue for questions or feedback about OSS-Fuzz.
We successfully deployed guided in-process fuzzing of Chrome components and found hundreds of security vulnerabilities and stability bugs. We now want to share the experience and the service with the open source community.
In cooperation with the Core Infrastructure Initiative, OSS-Fuzz aims to make common open source software more secure and stable by combining modern fuzzing techniques and scalable distributed execution.
Currently OSS-Fuzz supports C and C++ code (other languages supported by LLVM may work too).
The following process is used for projects in OSS-Fuzz:
- A maintainer of an opensource project or an outside volunteer creates one or more fuzz targets and integrates them with the project's build and test system.
- The project is accepted to OSS-Fuzz.
- When ClusterFuzz finds a bug, an issue is automatically reported in the OSS-Fuzz issue tracker (example). (Why different tracker?). Project owners are CC-ed to the bug report.
- The project developer fixes the bug upstream and credits OSS-Fuzz for the discovery (commit message should contain the string 'Credit to OSS-Fuzz').
- ClusterFuzz automatically verifies the fix, adds a comment and closes the issue (example).
- 7 days after the fix is verified or 90 days after reporting, the issue becomes public (guidelines).
Accepting New Projects
To be accepted to OSS-Fuzz, an open-source project must have a significant user base and/or be critical to the global IT infrastructure. To submit a new project:
- Create a pull request with new
projects/<project_name>/project.yamlfile (example) giving at least the following information:
- project homepage.
- e-mail of the engineering contact person to be CCed on new issues. This
email should be
linked to a Google Account (why?) and belong to an established project committer (according to VCS logs). If this is not you or the email address differs from VCS, an informal e-mail verification will be required.
- Note that
project_namecan only contain alphanumeric characters, underscores(_) or dashes(-).
- Once accepted by an OSS-Fuzz project member, follow the New Project Guide to write the code.
Bug Disclosure Guidelines
Following Google's standard disclosure policy OSS-Fuzz will adhere to following disclosure principles:
- 90-day deadline. After notifying project authors, we will open reported issues in 90 days, or 7 days after the fix is released.
- Weekends and holidays. If a deadline is due to expire on a weekend or US public holiday, the deadline will be moved to the next normal work day.
- Grace period. We have a 14-day grace period. If a 90-day deadline expires but the upstream engineers let us know before the deadline that a patch is scheduled for release on a specific day within 14 days following the deadline, the public disclosure will be delayed until the availability of the patch.
- Glossary describes the common terms used in OSS-Fuzz.
- New Project Guide walks through the steps necessary to add new projects to OSS-Fuzz.
- Ideal Integration describes the steps to integrate fuzz targets with your project.
- Accessing corpora describes how to access the corpora we use for fuzzing.
- Fuzzer execution environment documents the environment under which your fuzzers will be run.
- Projects lists OSS projects currently added to OSS-Fuzz.
- Chrome's Efficient Fuzzer Guide while contains some chrome-specifics, is an excellent documentation on making your fuzzer better.
- Blog posts: 2016-12-01 (1, 2, 3)
This page gives the latest build logs for each project.
This page gives a list of publically viewable fixed bugs found by OSS-Fuzz.