Comment 2 for bug 1942673

Hello, thanks for reporting this to us.

Fuzzers are fantastic tools but getting good results from them is difficult: they do not actually point out 'the flaw', it still requires significant investigation of the process state to determine what internal inconsistency has been exposed, before fixing the flaw. This investigation and fixing is best carried out together with upstream software authors, who (reasonably enough) usually want to work with the newest version of their software, or a development version of their software.

So, to get the most value from your fuzzing efforts, please:

- fuzz either the most recent release, or development versions, depending upon the project.
- coordinate fuzzing efforts with the project, to find interfaces that need fuzzing and interfaces that do not need fuzzing.
- minimize the test cases, to simplify root-cause analysis.
- prepare a patch; even if not accepted by upstream developers, a patch that addresses a problem often helps narrow down what needs fixing.
- report results directly to upstream developers, in whatever manner they prefer.

Please also consider submitting test harnesses to upstream developers to use Google's oss-fuzz project, https://google.github.io/oss-fuzz/ which will run fuzzers on projects using Google's resources, for free. Many projects could benefit from this service but may not have the time to learn how to do this themselves.

Thanks