6 yrs since OSS-Fuzz started, reached 850 projects, fixed 8,800 vulns & 28,000 stability bugs & next we are bumping up OSS-Fuzz rewards: more reward categories for improving coverage and horizontal leet rewards for impacting hundreds of projects -
Follow
Click to Follow halbecaf
Oliver Chang
@halbecaf
@halbecaf@mastodon.social
Senior Staff Eng @ Google Open Source Security. Leading OSV.dev, OSS-Fuzz.
Sydney, AustraliaJoined June 2016
Oliver Chang’s Tweets
#OSV-Scanner continues to serve OSS community's vuln scanning needs. v1.1.0 release is out, 4.1K stars & 18 new community contributors in a month since launch! Thank you contributors for adding new features (e.g. NuGet, Gradle support), bug & doc fixes -
10
26
Top performing entries will be eligible to considered for a new OSS-Fuzz FuzzBench reward (up to $11,337 depending on impact).
3
5
Show this thread
The OSS-Fuzz and FuzzBench team is helping to run the SBFT'23 fuzzing competition this year!
sbft23.github.io/tools/fuzzing
Please submit an entry if you're interested in participating! Entries for expressing interest close on Jan 13.
4
29
70
Show this thread
"This is where 's new OSV Scanner comes into play, automatically matching code in all dependencies for a given software project, including transitive dependencies, and notifying the developers when a security update is required."
3
25
78
Google released an open source SCA (Software Composition Analysis) security scanner a few days ago using osv.dev as the vuln data source.
11
62
279
I didn't realize Google dropped a neat open-source vulnerability scanner written in Go. Looks like it scans lockfiles, packages, and commit hashes. Performs the scan using the OSV API.
2
109
373
OSV-Scanner 1.0.1 is now available!
Big thanks to the community for the incredibly fast feedback and contributions (and the 860+ GH stars in 2 days)!
13
40
🔎 No doubt that osv-scanner folks did a great job! It's very promising, fast, and uses open-source OSV.dev databases!
Try it now: github.com/google/osv-sca
Test: cosign, 8855 files, all latest (as of now)
This Tweet is unavailable.
1
4
13
This is just the start. We have a lot of things planned for this wrt automated prioritisation, false positive reduction, and guided remediation.
4
Show this thread
1
14
25
Show this thread
If you don't know osv.dev yet, this is the time. We used it for auto-remediation of vulnerable packages (think Dependabot but with better UX) and it just perfect.
This Tweet is unavailable.
2
2
5
+++ Thread +++
Potential RCE found in HyperSQL (CVE-2022-41853).
CVSS base score: 9.8 🚨
More information and remediation instructions are in the thread below and in our blog: code-intelligence.com/blog/potential
#CVE #RCE #hsqldb #opensource #CVSS
2
9
17
Show this thread
Quote Tweet
#OWASP Dependency-Track v4.6.0 is now available! 
Lots of good stuff in this release, including support for vulnerability aliases, #OSV integration, multiple policy enhancements, and performance improvements.
Read the full changelog here: docs.dependencytrack.org/changelog/
Lots of good stuff in this release, including support for vulnerability aliases, #OSV integration, multiple policy enhancements, and performance improvements.
Read the full changelog here: docs.dependencytrack.org/changelog/3
10
Two security issues in found by way of Fuzzing with OSS-Fuzz and custom sanitizers. twitter.com/golang/status/
This Tweet is unavailable.
1
9
35
Is past remediation performance the right signal for assessing future vulnerability exposure risk?
Fun stat: "In npm and PyPI almost 60% of the vulnerabilities in our database were remediated BEFORE the publication of the corresponding advisory."
blog.deps.dev/post-advisory-
read image description
ALT
8
9
OSS-Fuzz has been really helpful for ! It has revealed hidden bugs in the Flux controllers and helped us discover and patch vulnerabilities, such as the Helm DoS CVE that we've made public last week github.com/fluxcd/flux2/s. Thanks ❤️
This Tweet is unavailable.
9
32
We published a blogpost on SystemSan - our sanitizer for command injection which found a remote code execution vulnerability in tinygltf.
security.googleblog.com/2022/09/fuzzin
We will pay rewards for sanitizers that can find non C/C++ specific vulnerabilities such as SQLI, XSS, and SSRF.
read image description
ALT
1
43
95
Say hello to Jazzer.js!
Today, we're open sourcing our coverage-guided in-process fuzzing engine for . Jazzer.js is based on libfuzzer and brings many of its instrumentation-powered mutations to the #JavaScript ecosystem.
Give it a try on !
3
30
74
Show this thread
Join in his talk "OpenSSF's Package Analysis" as he discusses the challenges with uploading malicious packages to a package repository, typosquatting, and dependency confusion. He will be sharing stories and what do we do about this?
bsidesmelbourne.com/2022-openssf.h
3
4
This was discovered by our ptrace based sanitizer tool here: github.com/google/oss-fuz. This is an unexplored territory with lots of potential!
3
18
Show this thread
Proof that fuzzing can discover exploitable vulnerabilities that aren't memory corruption! OSS-Fuzz discovered a very interesting command injection vulnerability which was just fixed:
5
34
104
Show this thread
Great example of FuzzIntrospector being used to improve code coverage of an existing critical project in OSS-Fuzz (Unix file utility) -
6
34
The deps.dev team just released a very insightful blog post on the challenges of dealing with complex dependency graphs and managing vulnerabilities! blog.deps.dev/after-the-advi
1
22
35
Indexing Debian advisories to exact affected versions was a surprisingly difficult problem. Hopefully this makes Debian advisories more accessible to all!
3
Show this thread
> curl -X POST -d '{"version": "2.2.12-1+deb10u1", "package": {"name": "gnupg2", "ecosystem": "Debian"}}' "api.osv.dev/v1/query"
1
2
Show this thread
I'm excited to announce that osv.dev/list?ecosystem now includes all Debian DSA and DLA advisories!
You can quickly query our API to see if a package at a given version is affected by a vulnerability:
2
5
19
Show this thread
ClusterFuzzLite triggered on a new PR to a project via actions is a complete game changer for security. This is scalable security done right. You should deploy this and require it yesterday.
2
15
59
Show this thread
How to make SBOM actionable? Check out this blog post on combining SBOM with OSV to find known vulnerabilities in your open source dependencies. VEX is coming next!
15
69
We're excited to launch Fuzz Introspector, a tool targeted at helping developers identify coverage bottlenecks & writing more productive fuzzers. This is fully integrated in the OSS-Fuzz service as well, we encourage developers to try it out -
2
41
102
Show this thread
Congrats and well deserved!
Quote Tweet
We raised $12M in Series A funding 
We will use the investment to expand the reach of feedback-based fuzzing to more programming languages, vulnerability classes, and dev tools.
Thanks to the whole team and everyone else who contributed.
code-intelligence.com/blog/series-a
We will use the investment to expand the reach of feedback-based fuzzing to more programming languages, vulnerability classes, and dev tools.
Thanks to the whole team and everyone else who contributed.
code-intelligence.com/blog/series-a1
Fuzzing hooks can help you to find more bugs, by refining your fuzzer input to explore deeper program states.
I wrote a blog post that will help you to easily craft and apply fuzzing hooks on your own code using Jazzer.
21
55
S/O to ClusterFuzzLite () for pushing a fix for a reported issue within 30 minutes! I'm (still) looking forward to using CFLite more.
github.com/google/cluster
#fuzzing #security #infosec #learning #programming
This Tweet is unavailable.
3
2
Over the last few months I've been working on an Open Source project for the to analyse packages available on public repositories to detect maliciousness. Read more about it here:
security.googleblog.com/2022/04/the-pa and here:
1
5
5
Introducing Package Analysis: Scanning open source packages for malicious behavior -
15
56
I'll be speaking at the #OSSUMMIT with ! Come hang out and learn more about scalable management of vulnerabilities in open source!
3
7
New OSV site at osv.dev. Learn why a precise, interchangeable schema matters & ways to access this aggregated data. 19K vulns incl Android (800),Go(489),Linux(6095),Maven (1204),NPM(2424),NuGet(174),OSS-Fuzz(2450),Packagist(834),PyPI (3177),Ruby(459), Rust(780)
7
19
#CloudNative Fuzzing – A post on integrating into OSS-Fuzz with 60 fuzzers. Many findings, including CVE-2022-23635 which “.. allowed anyone, including unauthenticated users, to send malicious payloads that could crash the control plane server“
24
49
Super excited to have worked with the awesome folks at GitHub on github.com/ossf/osv-schema as part of this. Congrats on the launch and very eager to see the very positive impact this will have on vuln management in open source!
Quote Tweet
GitHub's database of security advisories is now open-source and available for community contributions!
I'm so grateful to the team, who have been working on this since before I came to @github.
Another step forward in reimagining the security industry.
github.blog/2022-02-22-git
2
5