[evmunro]

They certainly could if their project is large enough! Every widely-used C/C++ project should use OSS-Fuzz, it's an awesome service.

We support a couple of languages that OSS-Fuzz doesn't (Go & Python as of now), which is why I thought this was worth mentioning :)

[treis]

>We support a couple of languages that OSS-Fuzz doesn't (Go & Python as of now), which is why I thought this was worth mentioning :)

I thought the main benefit of fuzzing was finding memory security bugs. If your program is crashing or otherwise erroring out given crazy input that's something you want to fix because it is potentially exploitable. With Python/Go that's not really an attack vector. So what's the benefit from finding out that some crazy input crashes my Python program?

[evmunro]

Memory security issues have been the main focus of fuzzing, but it's really useful for other use cases as well, such as: slowness/hangs, assert failures, panics, excessive resource consumption and DOS attacks. We've also done some work with Go to detect race conditions while fuzzing.

You can also do differential fuzzing to compare 2 different implementations that solve the same problem, or fuzz for invariant violations/assertion failures. I think the possibilities extend far beyond just memory safety, and I'm really looking forward to finding other areas in which fuzzing is applicable.

[treis]

Have you guys run FuzzBuzz against FuzzBuzz? If so, how many bugs did you find?

[nemo1618]

Crashes are exploitable too -- you definitely don't want someone to be able to take your website offline just by sending it a malformed packet. You might not leak user data, but being DoS'd is no fun either.