Fuzzing the Java core libs
    Fabian Meumertzheim 
    meumertzheim at code-intelligence.com
       
    Thu May 13 13:54:55 UTC 2021
    
    
  
On Thu, May 13, 2021 at 1:22 PM Alan Bateman <Alan.Bateman at oracle.com>
wrote:
> The workflow is shown on the Vulnerability Group page [1]. There isn't a
> repo that you can test commits on before the publication date.
>
> -Alan
>
> [1] https://openjdk.java.net/groups/vulnerability/
>
Based on the information on that page, there should be no conflict between
the OpenJDK and the OSS-Fuzz policies regarding disclosures (
https://google.github.io/oss-fuzz/getting-started/bug-disclosure-guidelines/
).
Is there anyone who would volunteer to receive the finding reports? Every
report comes with a stack trace and the exact input that reproduces the
finding with the fuzzer, i.e., is immediately actionable.
Examples of such reports for fixed bugs can be found at
https://bugs.chromium.org/p/oss-fuzz/issues/list?q=proj%3A%22json-sanitizer%22%20OR%20proj%3A%22fastjson2%22%20OR%20proj%3A%22jackson-core%22%20OR%20proj%3A%22jackson-dataformats-binary%22%20or%20proj%3A%22apache-commons%22&can=1
    
    
More information about the core-libs-dev
mailing list