Oliver Chang

We derestricted a number of vulnerabilities found by Big Sleep in JavaScriptCore today: issuetracker.google.com/issues?q=compo… All of them were fixed in the iOS 26.1 (and equivalent) update last month. Definitely some cool bugs in there!

Really excited to finally announce CodeMender! As part of this we've already submitted and upstreamed several patches to OSS projects via OSS-Fuzz. Check out our post at: deepmind.google/discover/blog/… There will be more technical details and exciting announcements to come!

Software vulnerabilities can be notoriously time-consuming for developers to find and fix. Today, we’re sharing details about CodeMender: our new AI agent that uses Gemini Deep Think to automatically patch critical software vulnerabilities. 🧵

🚀Inviting GSoC2025 contributors to supercharge OSS-Fuzz-Gen! Opportunities include:​ 1. Modularize OSS-Fuzz ​features 2. Enhance Experiment Execution & Report UI​ 3. Integrate Research Innovations​ Interested? Send your resume to donggeliu@google.com😃 #8-self-contained-oss-fuzz-module-for-researchers-" target="_blank" rel="nofollow noopener">gist.github.com/dynamicwebpaig…

OSV-Scanner has just released the first beta for V2, a major update that includes significant new features, including layer-aware container scanning, remediation for pom.xml, new HTML output and more. osv.dev/blog/posts/osv… Please try it out and give us feedback!

cloud.google.com/blog/products/… Awesome blog on how we’re using SLSA to make GKE more secure for our customers!

Today, we announced the official release of OSV-SCALIBR, Google's software composition analysis library. If you are working in vuln management / security scanning, SCALIBR is for you! SCALIBR is powering most of Google's vuln scanning. Please RT security.googleblog.com/2025/01/osv-sc…

The OSS-Fuzz team is hiring a PhD intern for this summer. Come join us and build the future of fuzzing. Link in next tweet in thread. RTs appreciated!

Happy new year! OSV had a lot of great progress in 2024, from new ecosystem adoption, API improvements, and scanner feature development! We just published a blog about these and our 2025 plans here: osv.dev/blog/posts/202… !

@jduck @clintgibler @metzmanj This is a very fair point! This is exactly why we haven't turned this on by default for all OSS-Fuzz users. One of our next priorities is to automate as much of the triage to determine if it's a legit vuln / attack surface or not (e.g. using an LLM and/or past reported vulns).

@clintgibler @halbecaf @metzmanj I'm concerned that you and your team are not thinking about if code you're testing has no attack surface. I'd be interested to understand what's a real vulnerability vs. just a crash find by fuzzing normally unreachable code/state.

🤖 The latest in LLM-powered fuzzing from Google 26 new vulns so far, 1 in OpenSSL The LLM can draft a fuzz target, fix compilation issues, run it & fix runtime issues, & triage crashes New improvements & future work 👇 By @halbecaf, @metzmanj security.googleblog.com/2024/11/leveli…

The OSS-Fuzz team at @Google is using AI-powered fuzzing to find vulns in open-source software and recently reported 26 new vulns to open-source project maintainers, including one in the OpenSSL library which is critical to most internet infrastructure. security.googleblog.com/2024/11/leveli…

On the heels of @Google’s ‘Big Sleep’ AI discovery of a real-world vulnerability, our OSS-Fuzz team identified and reported 26 vulnerabilities to open-source project maintainers by using AI-generated and enhanced fuzz targets. Read more here: security.googleblog.com/2024/11/leveli…

New blog post about OSS-Fuzz AI-powered fuzzing is live! We talk about what went into making LLMs work well enough for this use case to find 26 new vulnerabilities (including a CVE in OpenSSL), as well as what else we have planned to make this better. security.googleblog.com/2024/11/leveli…

Red Hat joins OSV! openssf.org/blog/2024/11/0… Combined with Ubuntu, Chainguard, and SUSE adopting OSV this year, OSV.dev has really started to become a comprehensive vulnerability source for not only language packages, but also Linux distros!

CVE-2024-9143 (openssl-library.org/news/secadv/20…) was disclosed recently, which was found by OSS-Fuzz-Gen! This is a pretty proud example of our team showing the promise of leveraging LLMs enable more fuzzing coverage.

OSV support announced in the latest Ubuntu 24.10 release! This year has seen OSV adoption from many Linux distributions, and the OSV.dev database is starting to become a really comprehensive source of accurate vuln info across major open source ecosystems!

Today, we proudly unveil Ubuntu 24.10, codenamed "Oracular Oriole" 🔮 Packed with GNOME 47, the Linux 6.11 kernel, permissions prompting, an enhanced command line, OpenVEX and OSV support, and a special #Ubuntu20Years anniversary gift - there’s plenty for you to explore 🚀 Read more: ubuntu.com/blog/canonical… #Ubuntu #Linux #OracularOriole

@microsvuln @dobinrutis I expect that we'll need to do a combination of: - Implementing these easier automated checks to prune out obvious false positives from incorrect/bad harnesses. - Have some kind of feedback mechanism from project maintainers (e.g. an annotation on public APIs) to help us out

@microsvuln @dobinrutis Yep, there's a lot of low hanging fruit things we can do to determine these automatically (or use an LLM). However, there are also cases when, even as a human, it's hard to tell if something is a legitimate bug or not because of unclear API preconditions and threat models.

One week later the bug count is now at 25 bugs total (#bugs-discovered" target="_blank" rel="nofollow noopener">github.com/google/oss-fuz…) There's still many improvements to be made to improve success rate of generated targets, but we now have the problem of too many crashes to triage. Automating this will a focus of our future research.