Oliver Chang
@halbecaf
Followers
2K
Following
316
Media
2
Statuses
196
https://t.co/bmyDmTlFKv Senior Staff Eng @ Google Open Source Security. Founder of https://t.co/K575lba4tt, lead/co-founder for OSS-Fuzz.
Sydney, Australia
Joined June 2016
Really excited to finally announce CodeMender! As part of this we've already submitted and upstreamed several patches to OSS projects via OSS-Fuzz. Check out our post at: https://t.co/qgnroQyIzN There will be more technical details and exciting announcements to come!
deepmind.google
Using advanced AI to fix critical software vulnerabilities
0
11
45
Software vulnerabilities can be notoriously time-consuming for developers to find and fix. Today, we’re sharing details about CodeMender: our new AI agent that uses Gemini Deep Think to automatically patch critical software vulnerabilities. 🧵
76
344
2K
🚀Inviting GSoC2025 contributors to supercharge OSS-Fuzz-Gen! Opportunities include: 1. Modularize OSS-Fuzz features 2. Enhance Experiment Execution & Report UI 3. Integrate Research Innovations Interested? Send your resume to donggeliu@google.com😃 https://t.co/vcoiDwScUN
gist.github.com
Google Summer of Code: 2025 Google DeepMind Project List - gdm-gsoc-projects-2025.md
1
4
15
OSV-Scanner has just released the first beta for V2, a major update that includes significant new features, including layer-aware container scanning, remediation for pom.xml, new HTML output and more. https://t.co/kkPK2KHBTk Please try it out and give us feedback!
0
4
11
https://t.co/MJrSrcgXqC Awesome blog on how we’re using SLSA to make GKE more secure for our customers!
cloud.google.com
You can now verify the integrity of Google Kubernetes Engine components with SLSA, the Supply-chain Levels for Software Artifacts framework.
0
2
9
Today, we announced the official release of OSV-SCALIBR, Google's software composition analysis library. If you are working in vuln management / security scanning, SCALIBR is for you! SCALIBR is powering most of Google's vuln scanning. Please RT https://t.co/Xk95hlSQwd
security.googleblog.com
Posted by Erik Varga, Vulnerability Management, and Rex Pan, Open Source Security Team In December 2022, we announced OSV-Scanner , a tool t...
3
75
211
The OSS-Fuzz team is hiring a PhD intern for this summer. Come join us and build the future of fuzzing. Link in next tweet in thread. RTs appreciated!
2
31
90
Happy new year! OSV had a lot of great progress in 2024, from new ecosystem adoption, API improvements, and scanner feature development! We just published a blog about these and our 2025 plans here: https://t.co/7vRkoPHZfO !
0
4
8
The OSS-Fuzz team at @Google is using AI-powered fuzzing to find vulns in open-source software and recently reported 26 new vulns to open-source project maintainers, including one in the OpenSSL library which is critical to most internet infrastructure.
security.googleblog.com
Posted by Oliver Chang, Dongge Liu and Jonathan Metzman, Google Open Source Security Team Recently, OSS-Fuzz reported 26 new vulnerabilities...
0
25
77
On the heels of @Google’s ‘Big Sleep’ AI discovery of a real-world vulnerability, our OSS-Fuzz team identified and reported 26 vulnerabilities to open-source project maintainers by using AI-generated and enhanced fuzz targets. Read more here:
security.googleblog.com
Posted by Oliver Chang, Dongge Liu and Jonathan Metzman, Google Open Source Security Team Recently, OSS-Fuzz reported 26 new vulnerabilities...
0
29
70
New blog post about OSS-Fuzz AI-powered fuzzing is live! We talk about what went into making LLMs work well enough for this use case to find 26 new vulnerabilities (including a CVE in OpenSSL), as well as what else we have planned to make this better. https://t.co/ewCUmtRs6P
security.googleblog.com
Posted by Oliver Chang, Dongge Liu and Jonathan Metzman, Google Open Source Security Team Recently, OSS-Fuzz reported 26 new vulnerabilities...
0
26
111
Red Hat joins OSV! https://t.co/M6yDyTwMpE Combined with Ubuntu, Chainguard, and SUSE adopting OSV this year, https://t.co/JhJ5uLdAjV has really started to become a comprehensive vulnerability source for not only language packages, but also Linux distros!
0
2
7
CVE-2024-9143 ( https://t.co/ApXML9Eiuv) was disclosed recently, which was found by OSS-Fuzz-Gen! This is a pretty proud example of our team showing the promise of leveraging LLMs enable more fuzzing coverage.
0
23
123
OSV support announced in the latest Ubuntu 24.10 release! This year has seen OSV adoption from many Linux distributions, and the https://t.co/JhJ5uLd2un database is starting to become a really comprehensive source of accurate vuln info across major open source ecosystems!
Today, we proudly unveil Ubuntu 24.10, codenamed "Oracular Oriole" 🔮 Packed with GNOME 47, the Linux 6.11 kernel, permissions prompting, an enhanced command line, OpenVEX and OSV support, and a special #Ubuntu20Years anniversary gift - there’s plenty for you to explore 🚀
0
3
6
Today, we proudly unveil Ubuntu 24.10, codenamed "Oracular Oriole" 🔮 Packed with GNOME 47, the Linux 6.11 kernel, permissions prompting, an enhanced command line, OpenVEX and OSV support, and a special #Ubuntu20Years anniversary gift - there’s plenty for you to explore 🚀
27
220
1K
One week later the bug count is now at 25 bugs total ( https://t.co/sjDnDMze7e) There's still many improvements to be made to improve success rate of generated targets, but we now have the problem of too many crashes to triage. Automating this will a focus of our future research.
This week we've added another 8 trophies to OSS-Fuzz-Gen (for a total of 14)! These are vulnerabilities found by LLM-generated harnesses. The interesting bit here is many of these are in well-fuzzed projects with thousands of hours of fuzzing already. https://t.co/sjDnDMyGhG
1
10
46
Sadly triaging findings by LLM-generated harnesses is fairly manual and time consuming. e.g. Some generated harnesses may not be valid. We have some work ongoing to auto-triage the results (using LLMs) and to steer LLMs away from generating bad harnesses.
0
1
11
This week we've added another 8 trophies to OSS-Fuzz-Gen (for a total of 14)! These are vulnerabilities found by LLM-generated harnesses. The interesting bit here is many of these are in well-fuzzed projects with thousands of hours of fuzzing already. https://t.co/sjDnDMyGhG
3
21
100
Second OSS-Fuzz blog post on fuzz harness generation for Java! https://t.co/Mnx2K8EgyU We've been quiet for a while but have a few interesting posts coming in the pipeline about our research.
blog.oss-fuzz.com
Introducing LLM-based harness generation for Java OSS-Fuzz projects.
0
28
104
Yesterday we announced that our security advisory feed was being now published following the OSV schema. This was a herculean job by @danluhring and @comedordexis.
1
5
8