►
From YouTube: Weekly Secure::Fuzz Testing Group Meeting 2020-07-07
Description
Weekly meeting of fuzz testing group
A
B
Saw
that
as
well,
I
did
not
create
an
issue
to
be
honest
with
you,
I'm,
not
even
sure,
where
that
whole
thing
stands
because
I
think
they
were
implementing
asset
size
restrictions
and
then
they
probably
need
a
estimated
size
for
us.
That's
been
sitting
there
for
a
while,
so
I
haven't
moved
on
that
and
and
I
don't
think
they
were
enforcing
restrictions
at
least
initially
right.
A
Yeah,
that's
in
part
tied
to
the
whole
like
understanding
more
for
customers
about
their
storage,
what
they're
using
so
they
can
do
better
predictability
around
their
resource
and
since
it's
not
created
I'll
go
ahead
and
take
the
action
to
create
that
and
I'll
see,
see
you
all.
We
can
start
the
discussion
there.
Asynchronously
perfect.
C
Alright,
this
was
just
kind
of
a
question
about
the
open,
merge
request
that
I
have
on
github
runner
to
use
the
fuzzing
features.
I
could
expand
on
the
mr2
fuzz
and
some
of
the
other
targets
that
I
had
mentions
like
the
file
names
within
zip
files
or
there's
one
other
one
that
seemed
like
it
would
be
interesting
to
fuzz.
C
C
I
guess
I
should
say
part
of
the
the
reason
why
it
doesn't
see
that
clear
to
me
is
because
it
is
not
the
best
it's
not
as
simple
or
ideally
suited
for
fuzzing
as
say
an
image,
parsing
library
right
and
that's
the
reason
why
I'm
a
little
on
the
fence
about
it.
It
will
use
the
features
and
it
will
add
some
extra
degree
of
testing.
But
it's
not
Mike.
It's
not
an
ideal
situation
for
fuzzing.
A
C
And
currently
it's
just
fuzzing
how
it
parses
the
yeah
mo,
which
isn't
that
useful
that
new
Marv
was
mostly
about
going
through
the
process
of
wiring
everything
up
just
doing
the
dogfooding.
There
are
a
few
other
targets
within
github
runner.
That
would
be
more
interesting
to
fuzz.
But
even
then
it's
not
an
ideal
situation
for
closing
I
I.
B
Would
definitely
do
I
I
would
not
merge
it.
Okay,
because
you
know
just
looking
at
the
implementation
and
how
this
is
written.
It
doesn't
follow
all
the
things
that
we
have
in
the
documentation
that
you
Vienna
is
merging
in
so
I
wouldn't
want
to
be
using
things
on
gitlab,
proper
projects
that
doesn't
follow
our
own
documentation.
Oh
oh
yeah,.
C
B
B
Because
I
think
from
a
sales
perspective
or
a
product
story
perspective,
it's
like
well
here.
You've
got
this
great
fuzzing
technique,
technology,
but
you're
not
using
it,
and
it's
not
merged
into
any
of
your
your
projects.
So
we
do
need
to
figure
out
how
to
get
some
of
these
merge
into
our
projects.
Okay,
yeah.
D
I
think
we
can
can
merge
it,
but
even
even
if
it's
not
the
ideal
situation,
just
just
for
you
know,
internal
testing,
I
think
it's
like
you
already
wrote
the
first
target
and
it
works.
I
mean
why
why
not
go
probably
find
more
more
bugs
that
we
have,
and
we
can,
you
know,
catch
things
early
on
as
well.
C
Yep,
that
makes
sense,
so
that's
about
it.
I
didn't
have
any
other
mm-hmm
questions
about
it.
So
I
guess
I
have
the
next
one
as
well
so
API
dogfooding
I,
didn't
really
work
on
it
that
much
last
week,
but
it's
going
pretty
quickly
thanks
to
the
documentation
that
Mike
provided
yeah.
So
it
is
it's
not
as
simple
as
just
including
the
CI
mo
I
do
have
to
jump
through
more
steps,
but
it
is
pretty
straightforward
about
what
I
have
to
do
and
related
to
that.
Though,
I
created
the
miscellaneous
group
under
fuzzing
backend
Seth.
C
If
you
don't
like
it
feel
free
to
delete
it,
but
I
ran
into
this
problem
and
on
the
vulnerability
research
team,
creating
top
level
projects
within
fuzzing
back-end.
There's
permissions
wise
makes
it
easier
for
all
the
members
of
the
team
to
be
able
to
move
projects
around
and
manage
them
if
they're
within
subgroups
of
the
main
group
and
the
epic
that
I
linked
kind
of
talks
about
that
and
yeah,
so
I
figured
I'd
bring
it
up.
Since
it's
a
pretty
fuzzy
back-end
is
a
pretty
fresh
group.
B
Yeah,
this
is
a
good
question,
because
we
have
we
have
a
lot
of
utilities
that
are
not
necessarily
in
the
analyzers,
the
analyzers
folder.
The
we
have
things
in
there
is
those
generate
doctor
images
and
for
customers
that
are
using
offline
installs.
They
just
get
analyzer
slash
whatever,
and
so
anything
that
has
a
docker
image,
so
projects
that
are
not
generating
docker
images,
don't
necessarily
need
to
live
in
analyzers,
and
so
we
do
need
a
good
home
for
that
I
haven't,
given
it
much
thought.
B
C
It
may
be
just
the
way,
vulnerability,
research
or
the
vulnerability
research
group
was
set
up,
but
it
causes
problems
having
the
top-level
projects,
because,
even
though
all
of
us
on
the
vulnerability
research
team
are
maintained,
errs
of
that
group,
we
couldn't
move
projects,
and
so,
even
if
we
wanted
to
organize
it,
we
couldn't
if
they
were
all
in
subgroups
to
begin
with,
we'd,
be
able
to
move
them
around.
That
we'll
know.
B
Yeah
so
I
think
that
makes
sense
to
have
a
subgroup
if
that
gets
around
the
limitation
and
then
yeah,
for
example,
this
dogfooding
isn't
a
customer
facing
project,
so
we
can
throw
that
in
there
all
day.
Long
I
think
the
organization
question
I
have
is,
if
we're
not
creating
a
docker
image,
but
it's
just
a
command-line
utility.
B
B
Yes,
so
I
just
wanted
to
link
over
I,
don't
know
if
everyone
has
access
to
this
document,
but
I
can
add
anyone
that
needs
it.
This
is
just
the
okay
yeah,
so
all
I
do.
This
is
just
the
integration
document
that
mostly
Mike
and
I
have
been
working
through
of
the
peach
architecture
and
the
one
of
the
lengths
is
over
cuz
Sam.
You
had
mentioned
a
question
about
one
of
the
diagrams
and
just
responded
to
your
question.
B
This
document
has
probably
the
most
up-to-date
discussion
and
then
the
goal
is
that
what
we're
doing
is
we're
going
to
start
taking
these
and
creating
issues
as
as
this
discussion
is
fairly
mature
at
some
point,
we'll
have
more
than
discussion
in
issues,
but
this
document,
as
you
can
see,
is
like
20
pages,
so
there's
a
lot
more
efficient
just
to
have
it
right.
There
make
all
the
updates,
as
opposed
to
going
through
the
whole
issue,
workflow
so
yeah
this.
B
The
only
thing
is
that
what
we're
not
trying
to
expose
them
the
concept
of
milestones
to
the
public,
that's
all,
and
then
the
the
we
may
be
better
off
closing
out
some
of
those
public
issues
and
just
creating
new
issues
coming
from
that
Google,
but
coming
from
the
Google
Doc,
we'll
just
need
to
work
through
this
Google
Doc
and
figure
out
the
best
way
to
like
it
out.
I
think
this.
This
document
right
now
is
at
a
point
where
most
of
this
discussion
can
move
over
to
issues.
Like
anything
add
on
that
I.
A
B
B
B
So
what
I
would
say
is
we'd
open
up
individual
issues
for
the
particular
things
that
need
to
get
done
and
then
perhaps
those
would
fit
into
an
epoch
and
that
epoch
might
be
milestone
a
witch
or
milestone
B,
which
might
be
instead
of
milestone.
B,
it
would
be
more,
you
know,
customer
can
run
API
fuzzing
job
and
then
that
would
have
the
particular
issues
that
need
to
get
resolved.
E
B
A
A
Probably
as
we
split
this
out,
these
would
I
mean
they
look
like
they
would
mostly
fit
into
our
existing
maturity
epics
as
sub
X
under
there
or
even
under
some
of
the
feature
epics.
So
yeah
I'd
love
to
see
the
the
outline
and
the
proposed
issues,
and
we
can
get
things
transferred
out
of
here
and
onto
on
to
get
lab
in
that
will
read
the
document
since
I
have
not
gone
through
this
one.
Since
I've
been
back.
C
So
this
is
kind
of
a
status
update
on
the
fuzzing
report
schema.
It
is
it's
starting
to
get
some
good
feedback
from
other
tech
leads
and
I've
during
the
discussions.
I've
realized
that
it's
kind
of
doing
two
things
at
once
in
the
mr
and
it
may
make
it
harder
to
get
emerged
then
so
I'm
thinking
of
splitting
it
into
solely
adding
the
fuzzy
and
schema
versus
the
refactoring,
yeah
and
I,
can
have
the
refactoring
based
on
the
fuzzing
schema
branch.
Just
so
it
includes
that
as
well.
E
C
Getting
good
feedback
and
I
say
Sam.
You
had
asked
I
had
a
note
in
here.
We
go
from
one
of
the
other
meetings
asking
about
the
schema
being
in
the
MVC
I,
when
I
made
that
I
didn't
realize
that
I
could
make
a
bookmark
in
the
document
and
so
I
added
the
comment
just
so
I
could
link
to
it.
That's
all
and.
E
F
A
Mean
I
think
we're
gonna
have
to
have
a
schema
that
we
implement
against
ourselves
for
MVC.
It's
not
a
requirement
that
it's
considered
stable
for
customers
to
be
interfacing
with
directly,
though
oh
I
see
I,
don't
think
we're
gonna
get
it
right
from
v1,
so
we
don't
want
to
publish
it
out
to
everyone
say
this
is
what
you
need
to
use
going
forward.
Yet,
okay,
all.
B
C
A
D
I
think
to
change
likely
output
will
be
pretty
easily
because,
like
essentially,
this
is
only
up
currently
at
least
only
up
to
me,
because
this
is
what
I
write
now
so
I
can
check.
I
know
where
the
code
is
and
I
just
can't
change
it
yeah,
so
so
it
should,
it
should
be.
It
should
be
pretty
easy
to
play
with
it
and
and
the
schema
it
doesn't
impact
write
any
any
other
scanners
right.
C
The
current
mr
does
it
should
be
backwards
compatible,
but
with
the
refactoring
and
pulling
common
definitions
out,
it
does
have
an
impact
on
the
other
report
formats.
It
basically
adds
extra
optional
fields
yeah.
So
that's
part
of
the
reason
why
I'm
thinking
I
should
break
the
mr
into
two
pieces,
one
for
the
refactoring
one
for
updating
to
add
fuzzing.
B
Yeah
so
I
guess
it
doesn't
make
too
much
of
a
difference
whether
it
gets
finalized
for
the
MVC
once
that
gets
finalized.
Then
that's
when
we
can
start
building
more
work
on
the
dashboard
and
I
think
that's
probably
where
the
the
stability
is
really
important
is
because
then
the
dashboard
will
start
reading
particular
fields,
but
right
now
we're
not
doing
anything
on
the
dashboard
for
fuzzing.
So.
C
B
The
idea
with
the
schema
is
whether
it's
get
lab.
That's
producing
that
from
one
of
our
fuzzing
tools
or
a
third
party
that
we
produce
consistent,
looking
data
and
then
the
schema.
So
there's
two
things
that
should
happen.
One
is
the
tool
should
be
validating
its
output
against
the
schema,
so
the
go
fuzz
get
lab
code.
Fuzz
should
generate
a
JSON
file
and
then
validate
that
against
the
schema
to
make
sure
that
it's
compliant
and
then
most
importantly,
is
that
data.
B
The
dashboard
should
be
validating
the
JSON
file
that
it
gets
against
the
schema,
and
if
about
it's
against
the
schema,
then
the
dashboard
should
be
able
to
read
that
data
and
just
spit
it
out
on
the
dashboard,
and
that's
that
why
that
scheme
is
so
important
is
so
that
if
a
third
party
is
sending
us
data,
we
just
validate
it
it's
valid,
then
we
can
show
it
on
the
dashboard.
Okay,
all
right
cool,
but
there's
right
now,
there's
nothing!
B
C
Yeah,
okay,
that
makes
a
lot
of
sense.
Thank
you.
So,
unless
there's
more
on
that,
I've
got
the
next
point
to
sock
into
Todd.
So
my
mm
right
now
I'm
kind
of
splitting
my
time
on
other
work
and
working
on
helping
figure
things
out.
That's
fuzzing
and
dogfooding
Todd
mentioned
that
I
should
transition
off
of
that
being
something
I
split.
My
time
on
around
the
end
of
July,
so
just
kind
of
an
FYI
I
current
understanding
is
that
I
will
not
be
permanently
attached
to
this
group
involves,
probably
but
not
splitting
my
time,
50/50.
D
D
C
D
D
So
essentially,
we
are
waiting
for
the
both
of
those
mr2
to
have
the
demo
that
I
showed
marriage
into
master,
so
I
think
like
both
of
them
are
waiting
for
yeah.
The
last
one
see
is
now
waiting
for
final
review
by
the
maintainer
and
I
think
those
are
also
also
the
missing
pieces
for
for
the
milestone,
B
and
C.
D
B
F
B
F
D
D
E
D
Okay
got
it
so
Andy
is
the
security
dashboard
which
is
I.
Currently
we
show
the
vulnerabilities
that
the
coverage
guided
fuzzing
found
in
the
pipeline
dashboard
and
I'm
working
on
the
M
R,
which
is
relatively
vegan.
So
it's
good
that
we
split
it
into
two
and
Mars
like
pipeline
dashboard
and
security.
E
D
Be
saved
into
the
database
and
showed
on
the
security
dashboard,
so
yeah
I'm.
This
is
working.
Progress.
I
still
have
some
issues
there.
Something
is
not
still
not
working
on
on
my
local
machine.
I
might
choke
fine,
it's
fine.
Sometimes
you
talk
to
the
other
back-end
devs
to
try
and
figure
out
what.
Why
are
why
everything
is
not
working
yet,
and
hopefully
I'll
finish
this
by
either
end
of
this
week
or
early
next
week.
D
You,
because
essentially,
because
essentially,
we
are
like
I'm
kind
of
following
the
same
principles.
All
the
other
scanners
followed.
So
it
should
work
kind
of
like
not
out
of
the
box,
I
need
to
add
more
more
classes
and
more
scanners,
but
it's
kind
of
a
copy
pasting,
the
same
the
same
code
and
just
changing
the
the
schema
a
bit.
So
it
should.
It
should
work
without
any
really
any
new.
You
have
a
functionality,
so
hopefully
we'll
get
to
this
either
by
the
end
of
this
week
or
early
next
week,
perfect.
F
My
next
point
is
I
was
just
curious.
So,
right
now
in
terms
of
the
front-end,
we
have
I
guess
where
I'm
working
on
the
download,
artifacts
I
just
type
lines
page.
Do
you
guys
know
what
would
be
next
in
terms
of
front-end
work?
That's
up
and
coming
just
like
just
broad,
not!
This
is
really
getting
into
like
specific
issues
or
anything
like
that.
A
Yeah
so
fanatically,
the
next
couple
of
things
were
going
to
want
to
focus
on
are
going
to
be
corpus,
support
so
being
able
to
reuse
those
between
jobs
if
users
want
to
download
them
or
interact
with
them.
We're
gonna
be
want
to
focus
on
that,
as
well
as
being
able
to
show
fuzzing
results
in
the
security
dashboard.
A
F
E
F
Looks
like
the
running
the
fuzzing
job
does
generate
and
item
in
that
table,
but
it
looks
like
this
I'm
missing
data
there
or
maybe
I,
don't
know
I'll
follow
up
with
you
X
on
what
should
go
there
or
if
that's
eventually
can
be
populated,
because
if
you
click
on
the
issue,
the
two
one,
seven
one
five
one
and
then
look
at
comment
in
the
last
screenshot.
It
looks
like
okay,
Jemima.
F
Report-
okay,
pull
this
over
here.
Can
you
guys
do
this?
So
we
have
the
way.
So
we
have
the
security
tab
down
buttons
going
to
go
over
here,
but
then
it
looks
like
this
vulnerability
or
this
result
was
generated
from
that
that
job
run.
But
you
know,
index
out
of
range,
I
think
severity,
unknown
I,
don't
know
how
we
would
generate
a
severity
level
for
that,
and
then
identifier
is
blank,
so
I
don't
know
right
now.
It's
particularly
useful!
D
F
The
question
is
right:
now:
is
this
business?
Look
alright,
because
right
now,
in
that
kind
of
range,
is
specific
value
for
this
column,
saying
you
know
and
then
unknown
like
I
just
want
to
make
sure
this
is
not
like
I
know
we
had
generated
actually
a
new
report
type
in
this
view,
but
I
don't
know
if
the
data
that's
here
is
currently
valid,
as
is
or
if
it's
even
useful
to
the
user.
B
So
this
data,
so
because
coverage
guide
of
fuzzing
is
kicking
out
a
schema
that
is
mostly
compatible
with
the
existing
schemas.
What
you're
seeing
on
screen
is
what
naturally
shows
up
this
is
you're
bringing
up
the
issue,
which
is
that
the
fuzzing
results
are
not
necessarily
vulnerabilities,
so
the
fault
that
was
found
was
index
out
of
range
and
that's
the
fault
but
like
this
design
is
for
you
know,
the
title
is
vulnerability
and
it
may
not
be
the
same.
So
we're
shoving
the
data
in
there
for
now
and
I
think
this
is.
B
F
I
mean
I
didn't
mean
to
go
off
track
here.
I
think
my
so
I
guess.
The
outcome
for
me
is
and
I
brought
this
up
in
the
issues
like.
Maybe
we
should
have
a
follow-up
issue
to
kind
of
mitigate
those,
but
for
now
I
will
add
the
download
button.
As
for
the
mocks,
which
I
think
this
is
what
it
should
look
like
over
here,
so
I'll
do
that
for
now
yep
and
then
I'll
guess,
I'll
follow
up,
see
X
on
the
concerns.
I
just
brought
up
now,
yeah.
B
And
in
in
in
the
near
term,
what
we're
trying
to
do
is
get
all
this
data
into
the
schemas
so
that
it
lines
up
with
all
the
infrastructure
that
we
have,
which
means
there's
there
shouldn't
be
a
much
front-end
work
or
back-end
work
other
than
getting
it
into
that
schema,
and
that's
why
I
think
understanding
the
priority
of
you
axe
is
very
important,
because
corpus
is,
and
all
that
is
separate.
Then
this
type
of
work
all.
A
I
mean
I
would
look
at
it
as
a
this
is
a
iteration
that
is
better
than
what
we
had
yesterday,
but
by
no
means
is
yeah
to
your
point.
Users
might
be
confused
by
it.
We
can
put
more
information
there
and
that's
really
what
those
design
pieces
of
work
around.
What
is
the
way
we
want
to
actually
present
these
results.
That's
gonna
be
what
it
focuses
on
it.
A
F
B
I
we
should
just
have
that
conversation
in
the
issue.
I
would
be
more
inclined
not
to
have
anything
hard-coded
on
the
front
end
and
if
we
hard
code
it
we
should
hard-coded
in
the
back
end
so
that
later,
when
it
gets
updated,
we
can
change
the
code
and
you
on
the
front
end,
don't
have
to
change
anything
yeah.
D
Yeah
yeah
I
think
it's
like
a
bog
in
the
Corinth
version
or
like
a
feature
in
the
next
one.
That's
a
way
that
we
like
it
should
like.
This
field
should
be
connected
to
some
output
that
we
we
control
on
the
on
the
back
end
and
that
it
should
just
yeah,
be
whatever
we
decide
or
either
some
useful
information
like
identifier
of
the
of
the
crash,
for
example,
yeah
I
added.
C
A
note
or
notes
on
the
meeting
on
the
schema,
merge
request.
I
did
mention
that
we
could
use
the
existing
identifier
field
and
the
different
crash
types
should
map
directly
to
cwe's
it.
It's
not
something.
I
would
push
for
for
the
NBC,
but
like
a
an
access
violation,
trying
to
read
data
or
if
you're
fuzzing,
with
an
address,
sanitizer
you'll
know
it's
an
index
out
of
bounds
or
Stack
Overflow.
All
of
those
vulnerability
types
do
map
to
cwe's,
that's
something
we
could
add
later
yeah.