Hi everyone,
Thanks for merging my recent dictionary and seed corpus improvements for fuzz_parse! Before I dive any deeper, I wanted to touch base with you all.
I’m a security researcher usually focused on web and hardware, but I'm currently using GPAC to learn the ropes of fuzzing. It's been an awesome project to work with so far. Recently, I've started drafting some new fuzz targets for areas that OSS-Fuzz doesn't really cover yet. Specifically the SDP parser and the BIFS decoder.
To be completely transparent: I'm using the OSS-Fuzz guidelines as my learning framework, and I am hoping to eventually qualify for their reward program.
Because of this, adding these new targets will almost certainly cause an initial spike in OSS-Fuzz bug reports as fresh code paths get hit. I really don't want to overwhelm your issue tracker. To help keep the noise down, my plan is to actively help triage the crashes these new targets find.
Do you have the bandwidth for this right now, or would you prefer I pace the introduction of these new fuzzers slowly?
Also, if you're open to it down the line, I’d love to help integrate CIFuzz so we can catch these bugs directly on pull requests before they even merge.
Let me know what pace works best for you.
Thanks for all your hard work on GPAC!
Hi everyone,
Thanks for merging my recent dictionary and seed corpus improvements for fuzz_parse! Before I dive any deeper, I wanted to touch base with you all.
I’m a security researcher usually focused on web and hardware, but I'm currently using GPAC to learn the ropes of fuzzing. It's been an awesome project to work with so far. Recently, I've started drafting some new fuzz targets for areas that OSS-Fuzz doesn't really cover yet. Specifically the SDP parser and the BIFS decoder.
To be completely transparent: I'm using the OSS-Fuzz guidelines as my learning framework, and I am hoping to eventually qualify for their reward program.
Because of this, adding these new targets will almost certainly cause an initial spike in OSS-Fuzz bug reports as fresh code paths get hit. I really don't want to overwhelm your issue tracker. To help keep the noise down, my plan is to actively help triage the crashes these new targets find.
Do you have the bandwidth for this right now, or would you prefer I pace the introduction of these new fuzzers slowly?
Also, if you're open to it down the line, I’d love to help integrate CIFuzz so we can catch these bugs directly on pull requests before they even merge.
Let me know what pace works best for you.
Thanks for all your hard work on GPAC!