Repository files navigation

Fuzz testing is a well-known technique for uncovering programming errors insoftware. Many of these detectable errors, likebuffer overflow, can haveserious security implications. Google has foundthousands of securityvulnerabilities and stability bugs by deployingguided in-process fuzzing ofChrome components, and we now want to share that service with the open sourcecommunity.

In cooperation with theCore Infrastructure Initiative and theOpenSSF,OSS-Fuzz aims to make common open source software more secure and stable bycombining modern fuzzing techniques with scalable, distributed execution.Projects that do not qualify for OSS-Fuzz (e.g. closed source) can run their owninstances ofClusterFuzz orClusterFuzzLite.

We support thelibFuzzer,AFL++, andHonggfuzz fuzzing engines incombination withSanitizers, as well asClusterFuzz, a distributed fuzzerexecution environment and reporting tool.

Currently, OSS-Fuzz supports C/C++, Rust, Go, Python, Java/JVM, and JavaScript code. Other languagessupported byLLVM may work too. OSS-Fuzz supports fuzzing x86_64 and i386builds.

Read ourdetailed documentation to learn how to use OSS-Fuzz.

As of May 2025, OSS-Fuzz has helped identify and fix over 13,000 vulnerabilities and 50,000 bugs across1,000 projects.

• 2024-11-20 -Leveling Up Fuzzing: Finding more vulnerabilities with AI
• 2023-08-16 -AI-Powered Fuzzing: Breaking the Bug Hunting Barrier
• 2023-02-01 -Taking the next step: OSS-Fuzz in 2023
• 2022-09-08 -Fuzzing beyond memory corruption: Finding broader classes of vulnerabilities automatically
• 2021-12-16 -Improving OSS-Fuzz and Jazzer to catch Log4Shell
• 2021-03-10 -Fuzzing Java in OSS-Fuzz
• 2020-12-07 -Improving open source security during the Google summer internship program
• 2020-10-09 -Fuzzing internships for Open Source Software
• 2018-11-06 -A New Chapter for OSS-Fuzz
• 2017-05-08 -OSS-Fuzz: Five months later, and rewarding projects
• 2016-12-01 -Announcing OSS-Fuzz: Continuous fuzzing for open source software