"They're bisected to an accurate range of commits and commit tags that include the bug."
Could you please explain this a bit more? What do you mean by an accurate range of commits? When the fuzzer finds bugs/vulnerabilities, it reserves it in a database? Such as what Black Duck is doing? Also, it preserves the commit code that contains the bug?
For reporting bugs found by the oss-fuzz framework, as long as these bugs are confirmed by the stack developer/owner, I assume we could mark them as genuine ones, otherwise, is there any other way to validate the certainty of bugs, i.e., bugs found are vulnerabilities that may/could result in to crash, failure, error, fault or an exploit?
Thanks
Mehdi