Fuzz-testing requires a lot of power, so Google offers to run fuzzing for open source projects that are critical in the software ecosystem. The program, called OSS Fuzz has so far found 14000 vulnerabilities in 200 projects. Two of these projects are Firefox and Golang. OSS Fuzz: https://google.github.io/oss-fuzz/
The first step to include an open source program in OSS Fuzz is to to make a PR-request to the OSS-Fuzz repo: https://google.github.io/oss-fuzz/getting-started/accepting-new-projects/
On of the pre-requests are that the person requesting the PR has been a long time contributer to the project, which Google validate through VCS-logs. Once the PR is accepted, fuzzers can be written, ideally targetting nightly. Read more here: https://google.github.io/oss-fuzz/getting-started/new-project-guide/
I'm happy to write the fuzzers. I wouldn't mind to make the PR to OSS-Fuzz either. Only, I do not have any contribution to the Rust Compiler. So I was wondering if there is an interest in the rust compiler team to help with that?
Also, I could benefit from access to build logs etc, anything that can give me a good idea of which coverage-paths to fuzz. Or if someone is happy to review some of my fuzz code.
The person behind this blog post actually reported 8 vulnerabilities to Rust compiler: http://www.vegardno.net/2018/06/compiler-fuzzing.html
Vulnerabilities reported: https://github.com/rust-lang/rust/issues?q=author%3Avegard
Fuzzing the stdlib is probably more rewarding as those crashes might lead to severe vulnerabilities.
I have non-monetary reasons for wanting to do this. For one I champion Rust in a couple of large organisations I intend to work with and it benefits us to know about potential vulnerabilities early. But given that Google might reward the project and the fuzz integrator for their work, I feel I should mention that possibility exists: https://google.github.io/oss-fuzz/getting-started/integration-rewards/