An Empirical Study of OSS-Fuzz Bugs
This provides insights for improving fuzzing tools and practices in open-source software development, though it is incremental as it builds on existing fuzzing services.
The study analyzed 23,907 bugs from OSS-Fuzz to understand fuzzer-found faults, their lifecycles, and campaign evolution, finding that bugs are often found and patched quickly but issues like flaky bugs and lack of CVE reporting persist.
Continuous fuzzing is an increasingly popular technique for automated quality and security assurance. Google maintains OSS-Fuzz: a continuous fuzzing service for open source software. We conduct the first empirical study of OSS-Fuzz, analyzing 23,907 bugs found in 316 projects. We examine the characteristics of fuzzer-found faults, the lifecycles of such faults, and the evolution of fuzzing campaigns over time. We find that OSS-Fuzz is often effective at quickly finding bugs, and developers are often quick to patch them. However, flaky bugs, timeouts, and out of memory errors are problematic, people rarely file CVEs for security vulnerabilities, and fuzzing campaigns often exhibit punctuated equilibria, where developers might be surprised by large spikes in bugs found. Our findings have implications on future fuzzing research and practice.