oss-fuzz

OSS-Fuzz is a free service run by Google that continuously tests open source software projects for bugs by throwing massive amounts of random and malformed inputs at them. This technique, called fuzz testing, is effective at finding crashes, memory errors, and security vulnerabilities that ordinary testing would miss because developers tend to test expected inputs rather than bizarre edge cases.

Google originally developed this approach internally to harden Chrome and found thousands of serious bugs. OSS-Fuzz extends that same infrastructure to the broader open source community at no cost. By May 2025, the service had helped identify and fix over 13,000 vulnerabilities and 50,000 bugs across more than 1,000 projects.

The system works by running programs in specially instrumented ways, using tools that catch memory access errors, data races, and other common problems the moment they occur. It supports several different fuzzing engines, which are the programs that generate and mutate inputs, and works with code written in C, C++, Rust, Go, Python, Java, JavaScript, and Lua.

Open source projects that want to join OSS-Fuzz write a small integration that tells the system how to build and run their code in fuzzing mode. Once integrated, the project's code is tested continuously on Google's infrastructure, and any crashes found are reported to the project's developers. Projects that do not qualify for the free service can run the same underlying tool, called ClusterFuzz, on their own infrastructure.