OSS-CRS: Liberating AIxCC Cyber Reasoning Systems for Real-World Open-Source Security
This work addresses the accessibility and practical deployment of AI-driven cyber reasoning systems for open-source security, enabling broader use by security researchers and developers, though it is incremental as it builds on existing competition systems.
The paper tackles the problem that AI Cyber Challenge (AIxCC) cyber reasoning systems (CRSs) are unusable outside their original competition infrastructure by introducing OSS-CRS, an open, locally deployable framework that enables running and combining CRS techniques on real-world open-source projects, resulting in the discovery of 10 previously unknown bugs, including three high-severity ones, across 8 OSS-Fuzz projects.
DARPA's AI Cyber Challenge (AIxCC) showed that cyber reasoning systems (CRSs) can go beyond vulnerability discovery to autonomously confirm and patch bugs: seven teams built such systems and open-sourced them after the competition. Yet all seven open-sourced CRSs remain largely unusable outside their original teams, each bound to the competition cloud infrastructure that no longer exists. We present OSS-CRS, an open, locally deployable framework for running and combining CRS techniques against real-world open-source projects, with budget-aware resource management. We ported the first-place system (Atlantis) and discovered 10 previously unknown bugs (three of high severity) across 8 OSS-Fuzz projects. OSS-CRS is publicly available.