CVE-less vulnerabilities

Posted Jun 27, 2019 19:34 UTC (Thu) by k8to (guest, #15413)
In reply to: CVE-less vulnerabilities by marcH
Parent article: CVE-less vulnerabilities

Have you tried this in practice?

I find most of these shotgun style tests tend to work poorly, because they take longer to produce results, so time-to-merge pressures mean they end up catching problems many commits in, and many developers aren't excited about trying to figure out whose changes caused the problem. The net result is a lot of finger pointing and waste and ultimately this style of test is decommissioned.

Maybe a healthier development culture wouldn't have this problem, or maybe some projects are smaller and fuzz could produce results in minutes. Ideally there's a social hack I'm missing to solve this kind of problem more generally.

CVE-less vulnerabilities

Posted Jun 28, 2019 9:33 UTC (Fri) by marcH (subscriber, #57642) [Link]

No, I don't have any experience myself but the article states:

> projects like OSS-Fuzz are finding lots of bugs in an automated fashion—many of which may be security relevant

https://github.com/google/oss-fuzz seems pretty strong on automation and in my experience Google rarely ever pays engineers to perform repetitive tasks.

So it sounds like OSS-Fuzz finally cracked that nut. That's probably why there's a LWN article about it.