validitiy of reporting bugs

Mehdi Karimi

unread,

Jun 21, 2021, 12:54:55 PM6/21/21

to osv-discuss

Hello,

For the bugs that OSS-Fuzz is reporting, can you tell how many of those vulnerabilities are being vetted? i.e., confirmed to be a real issue, not benign nor a false positive.

Thanks

Mehdi

Oliver Chang

unread,

Jun 25, 2021, 1:58:09 AM6/25/21

to Mehdi Karimi, osv-discuss

Hi Mehdi,

All OSS-Fuzz bugs are verified to be consistently reproducible and crash in a way that's very likely to have security implications (heap buffer overflows, use after frees etc). They're bisected to an accurate range of commits and commit tags that include the bug.

Does that answer your question?

--

Oliver

--
You received this message because you are subscribed to the Google Groups "osv-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to osv-discuss...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/osv-discuss/c1f2fb00-3748-486f-96bf-09252f830b79n%40googlegroups.com.

Mehdi Karimi

unread,

Jul 4, 2021, 5:04:13 PM7/4/21

to osv-discuss

"They're bisected to an accurate range of commits and commit tags that include the bug."

Could you please explain this a bit more? What do you mean by an accurate range of commits? When the fuzzer finds bugs/vulnerabilities, it reserves it in a database? Such as what Black Duck is doing? Also, it preserves the commit code that contains the bug?

For reporting bugs found by the oss-fuzz framework, as long as these bugs are confirmed by the stack developer/owner, I assume we could mark them as genuine ones, otherwise, is there any other way to validate the certainty of bugs, i.e., bugs found are vulnerabilities that may/could result in to crash, failure, error, fault or an exploit?