google/oss-fuzz

★ 12,244ShellAudience · developerComplexity · 4/5Setup · hard

Mindmap

mindmap
  root((oss-fuzz))
    What it does
      Continuous fuzz testing
      Free for open source
      Crash and bug finding
    How it works
      Random malformed inputs
      Instrumented builds
      Multiple fuzz engines
    Languages Supported
      C and C++
      Python and Go
      Rust Java JavaScript
    Getting Started
      Write build integration
      Submit pull request
      Crashes reported to devs
    Audience
      Open source maintainers
      Security researchers

mindmap root((oss-fuzz)) What it does Continuous fuzz testing Free for open source Crash and bug finding How it works Random malformed inputs Instrumented builds Multiple fuzz engines Languages Supported C and C++ Python and Go Rust Java JavaScript Getting Started Write build integration Submit pull request Crashes reported to devs Audience Open source maintainers Security researchers

Click or tap to explore — scroll the page freely

Things people build with this

USE CASE 1

Integrate your open source C or C++ library into Google's OSS-Fuzz for free continuous security testing.

USE CASE 2

Find memory safety bugs and security vulnerabilities in your software before attackers do.

USE CASE 3

Run ClusterFuzz on your own infrastructure to apply the same fuzzing approach to private projects.

Tech stack

ShellCC++PythonGoRustJavaJavaScript

Getting it running

Difficulty · hard Time to first run · 1day+

Joining OSS-Fuzz requires writing a build integration file and submitting a pull request to the oss-fuzz repository.

In plain English

OSS-Fuzz is a free service run by Google that continuously tests open source software projects for bugs by throwing massive amounts of random and malformed inputs at them. This technique, called fuzz testing, is effective at finding crashes, memory errors, and security vulnerabilities that ordinary testing would miss because developers tend to test expected inputs rather than bizarre edge cases. Google originally developed this approach internally to harden Chrome and found thousands of serious bugs. OSS-Fuzz extends that same infrastructure to the broader open source community at no cost. By May 2025, the service had helped identify and fix over 13,000 vulnerabilities and 50,000 bugs across more than 1,000 projects. The system works by running programs in specially instrumented ways, using tools that catch memory access errors, data races, and other common problems the moment they occur. It supports several different fuzzing engines, which are the programs that generate and mutate inputs, and works with code written in C, C++, Rust, Go, Python, Java, JavaScript, and Lua. Open source projects that want to join OSS-Fuzz write a small integration that tells the system how to build and run their code in fuzzing mode. Once integrated, the project's code is tested continuously on Google's infrastructure, and any crashes found are reported to the project's developers. Projects that do not qualify for the free service can run the same underlying tool, called ClusterFuzz, on their own infrastructure.

Copy-paste prompts

Prompt 1

Show me how to write an OSS-Fuzz build integration for a C++ library so it can be submitted for continuous testing.

Prompt 2

Walk me through submitting a new project to OSS-Fuzz: what files do I need to create and what does the pull request look like?

Prompt 3

What types of bugs does fuzz testing find that unit tests typically miss, and how does OSS-Fuzz detect them?

Prompt 4

How does ClusterFuzz work under the hood, and what does it mean when a fuzzing engine reports a crash?

Open on GitHub → Explain another repo

← google on gitmyhub — every repo by this author, as a profile.

Verify against the repo before relying on details.