doc: add OSS-Fuzz section to fuzzing.md doc #21856

pull adamjonas wants to merge 1 commits into bitcoin:master from adamjonas:add-oss-fuzz changing 1 files +12 −0
  1. adamjonas commented at 5:52 PM on May 4, 2021: member

    This adds documentation about Bitcoin Core's participation in Google's OSS-Fuzz program and adds the caveat that the project may not disclose vulnerabilities within the 90-day window described in the program's disclosure guidelines.

  2. michaelfolkson commented at 6:10 PM on May 4, 2021: contributor

    What was the nature of the exemption that Google granted for disclosures? Did we get 15 months like @jonasnick requested?

  3. DrahtBot added the label Docs on May 4, 2021
  4. MarcoFalke commented at 6:11 AM on May 5, 2021: member

    I did a survey of all bugs found first by fuzzing, excluding known bugs that can merely be reproduced by fuzzing (regression fuzz testing). I found that most bugs fall into one of the categories:

    • Silent merge conflict (forgetting to update the fuzz target after code changes)
    • A bug in the fuzz target itself
    • A recently introduced critical (exploitable) bug, but only present in the master main developement branch
    • A minor (non-exploitable) bug, potentially present in previous releases

    I believe none of the previously found bugs would warrant an extended disclosure timeline. However, it is not possible to exclude that such a bug may be found. For the hopefully extremely rare case, we may opt to hide a bug report for longer than 90 days. See https://github.com/bitcoin-core/secp256k1/issues/739#issuecomment-614831028 for an example where a longer deadline would be needed.

  5. in doc/fuzzing.md:236 in 94497a6960 outdated 
     229 | @@ -230,3 +230,15 @@ $ honggfuzz/honggfuzz --exit_upon_crash --quiet --timeout 4 -n 1 -Q \
 230 |                         -nodebuglogfile -bind=127.0.0.1:18444 -logthreadnames \
 231 |                         -debug
 232 |  ```
 233 | +
 234 | +# OSS-Fuzz
 235 | +
 236 | +Bitcoin Core participates in Google's [OSS-Fuzz](https://github.com/google/oss-fuzz)
    MarcoFalke commented at 6:13 AM on May 5, 2021:

    Could link to https://github.com/google/oss-fuzz/tree/master/projects/bitcoin-core to avoid having to search for it?

  6. MarcoFalke approved
  7. MarcoFalke commented at 6:14 AM on May 5, 2021: member

    ACK. No objections linking to https://github.com/google/oss-fuzz/tree/master/projects/bitcoin-core for convenience.

  8. practicalswift commented at 9:47 AM on May 5, 2021: contributor

    ACK 94497a6960e56b06ec6d36e2fd80af84b4ba9c42

  9. michaelfolkson commented at 11:04 AM on May 5, 2021: contributor

    On the assumption that the @jonasnick @sipa disclosure deadline concerns have been addressed I'm an ACK. It would be nice to give the people working on fuzzing access to whatever tools they feel would be useful assuming we have addressed prior concerns raised.

    I'm not clear if those concerns have been met or not though. I'm also not clear whether (or when) this decision to join Google's OSS-Fuzz program has already been made.

    This is the exact wording from OSS-Fuzz doc.

    Deadline. After notifying project authors, we will open reported issues to the public in 90 days, or after the fix is released (whichever comes earlier).

    It sounds like we have received no guarantee or exemption from Google that this won't also be the case for Bitcoin Core project(s). @MarcoFalke sounds comfortable with that but I'm unsure if @jonasnick @sipa are?

  10. ryanofsky commented at 12:33 PM on May 5, 2021: member

    Code review ACK 94497a6960e56b06ec6d36e2fd80af84b4ba9c42. @michaelfolkson, your concern here is good, but in case the concern isn't really about the text of this PR, but some larger issue about bug disclosures, the best place to discuss that may be a separate issue, rather than this PR which is just trying to document what our participation in this program is, link to our dashboard, and be transparent about what's going show up in the dashboard. Maybe there could be a bigger document about what considerations go into disclosures that this could link to later.

    I don't know all the details but my understanding of google's policy and our arrangement with google is that we (presumably contacts from https://github.com/google/oss-fuzz/pull/5699) just have control over what shows up in the dashboard. We plan to follow google's policies and disclose as much as possible as quickly as possible, but google's policies allow exceptions in "extreme circumstances" (https://googleprojectzero.blogspot.com/2015/02/feedback-and-data-driven-updates-to.html), and in our case where we are concerned about the health of a live network where updates happen over time, and effects from non-updated nodes can spill over to updated nodes, we're just trying to be straightforward about the fact that exceptions may be a little more likely for our application than some other ones, and that the existence of the dashboard doesn't imply automated or guaranteed disclosure. Disclosure is going to continue to be imperfect process where people are going to try to use their intuition and judgement, the same way they always have. It's good to have policies and to document policies, but I don't think anybody thinks we are or should be trapped by some policy.

  11. michaelfolkson commented at 1:28 PM on May 5, 2021: contributor

    @ryanofsky: Ok cool. I wouldn't have discussed it on this documentation PR if I was aware that the decision had already been made. I wasn't aware of https://github.com/google/oss-fuzz/pull/5699 and I wasn't aware what had changed since https://github.com/bitcoin-core/secp256k1/issues/739#issuecomment-614831028. But it seems like I'm missing context from private discussions (or maybe a public IRC discussion?). Assuming people are happy it doesn't matter either way.

  12. doc: add OSS-Fuzz section to fuzzing.md doc
    Co-authored-by: Russell Yanofsky <russ@yanofsky.org>
    47c3ea021e
  13. adamjonas force-pushed on May 5, 2021
  14. adamjonas commented at 2:13 PM on May 5, 2021: member

    Updated OSS-Fuzz link to point to https://github.com/google/oss-fuzz/tree/master/projects/bitcoin-core.

  15. jonatack commented at 2:18 PM on May 5, 2021: member

    ACK 47c3ea021e867206172cdb6546a76d23baa958bb

    Text looks fine and links are functional.

  16. MarcoFalke merged this on May 5, 2021
  17. MarcoFalke closed this on May 5, 2021
  18. sidhujag referenced this in commit d6fb4a17c2 on May 5, 2021
  19. in doc/fuzzing.md:237 in 47c3ea021e 
     229 | @@ -230,3 +230,15 @@ $ honggfuzz/honggfuzz --exit_upon_crash --quiet --timeout 4 -n 1 -Q \
 230 |                         -nodebuglogfile -bind=127.0.0.1:18444 -logthreadnames \
 231 |                         -debug
 232 |  ```
 233 | +
 234 | +# OSS-Fuzz
 235 | +
 236 | +Bitcoin Core participates in Google's [OSS-Fuzz](https://github.com/google/oss-fuzz/tree/master/projects/bitcoin-core)
 237 | +program, which includes a dashboard of [publicly disclosed vulnerabilities](https://bugs.chromium.org/p/oss-fuzz/issues/list).
    MarcoFalke commented at 12:42 PM on May 9, 2021:

    Should this also link to the latest coverage report https://oss-fuzz.com/coverage-report/job/libfuzzer_asan_bitcoin-core/latest ?

  20. PastaPastaPasta referenced this in commit f75fe9d616 on Sep 21, 2021
  21. gwillen referenced this in commit 50835e366e on Jun 1, 2022
  22. DrahtBot locked this on Aug 18, 2022
Contributors
adamjonasmichaelfolksonMarcoFalkepracticalswiftryanofskyjonatack
Labels
Docs
github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2026-04-22 06:14 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me