-
Notifications
You must be signed in to change notification settings - Fork 292
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fuzz testing with oss-fuzz #2738
Comments
I have some moral/privacy issues with using a google server to find vulns. But if you want to take it up for it DM me on matrix we can try to come up with something. https://github.com/degeri/dcrd-continuous-fuzz for current fuzzing work (I am working on moving this to LibFuzzer). |
OK, I understand your concerns. What about the risk of something like this not being discovered ?https://twitter.com/peter_szilagyi/status/1332047468004077569?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1332047468004077569%7Ctwgr%5E%7Ctwcon%5Es1_&ref_url=https%3A%2F%2Fadalogics.com%2Fblog%2Fthe-importance-of-continuity-in-fuzzing-cve-2020-28362 |
Not against fuzzing. But very against using a centralized google service (And the accepting their rules) for fuzzing. Not sure you have actually read the google rules. They have some restrictive policies. eg:
While 90 day disclosure period is fine for normal software if something requires a consensus change we cant get it done in 90 days.. So then it would require some patch work and multiple fixes. We will be working on their timeline instead of our own. |
Enable Fuzz testing with
oss-fuzz
https://github.com/google/oss-fuzz , the oss-fuzz helped to identify with ethereum DoS https://adalogics.com/blog/the-importance-of-continuity-in-fuzzing-cve-2020-28362The text was updated successfully, but these errors were encountered: