OSS-Fuzz integration #326
Comments
|
Sounds great! You can use my email ([email protected]), @tarcieri also may be interested. Note that we plan to migrate crate to |
|
Great, thanks for your quick reply. I will do the integration now and once you merge that PR I will fix any build failures. @tarcieri 's e-mail can be added later. |
|
@guidovranken you can add me at [email protected] |
|
Thanks. The project has been integrated. If a bug is found you will get an e-mail. In the e-mail is a link to the bug report; you can click it and log in with your Google account. We can comment on the bug report; I will provide bug and reproduction information for you there. You will also receive an e-mail whenever a bug is detected as being fixed. Please feel free to reach out to me if you have any questions. |
OSS-Fuzz
OSS-Fuzz is an initiative by Google which continually fuzzes open source software on Google infra, free of charge.
Fuzzer
For fuzzing cryptographic libraries I use Cryptofuzz which uses differential fuzzing to find implementation bugs. It has found hundreds of bugs in major libraries.
Currently implemented for RustCrypto: most hashes + HMAC with most hashes + CMAC/aes + most KDFs + OFB/CFB/CTR with most block ciphers encryption/decryption + bignum ops (U256).
I will be extending the harness going forward.
What I need
One or more e-mail addresses of the maintainers linked to a Google account. These will be publicly viewable in the
project.yamlfile of the OSS-Fuzz project.What is expected from you
OSS-Fuzz will send automated reports upon discovering a bug. It is expected that you fix the bug. I will be stand by to explain the fuzzer output and create a reproducer if needed. OSS-Fuzz will automatically detect if a bug has been fixed. The bug will be publicly disclosed after 90 days, regardless of whether it has been fixed or not.
Please let me know if there is any interest in this.
The text was updated successfully, but these errors were encountered: