Oliver Chang
@halbecaf
Followers
2K
Following
312
Media
2
Statuses
194
https://t.co/bmyDmTlFKv Senior Staff Eng @ Google Open Source Security. Founder of https://t.co/K575lba4tt, lead/co-founder for OSS-Fuzz.
Sydney, Australia
Joined June 2016
RT @dongge_liu: 🚀Inviting GSoC2025 contributors to supercharge OSS-Fuzz-Gen! Opportunities include:​.1. Modularize OSS-Fuzz ​features.2. En….
gist.github.com
Google Summer of Code: 2025 Google DeepMind Project List - gdm-gsoc-projects-2025.md
0
4
0
OSV-Scanner has just released the first beta for V2, a major update that includes significant new features, including layer-aware container scanning, remediation for pom.xml, new HTML output and more. Please try it out and give us feedback!.
0
4
11
RT @rdcallaw: Awesome blog on how we’re using SLSA to make GKE more secure for our customers!.
cloud.google.com
You can now verify the integrity of Google Kubernetes Engine components with SLSA, the Supply-chain Levels for Software Artifacts framework.
0
2
0
RT @slekies: Today, we announced the official release of OSV-SCALIBR, Google's software composition analysis library. If you are working in….
security.googleblog.com
Posted by Erik Varga, Vulnerability Management, and Rex Pan, Open Source Security Team In December 2022, we announced OSV-Scanner , a tool t...
0
75
0
Happy new year! OSV had a lot of great progress in 2024, from new ecosystem adoption, API improvements, and scanner feature development! We just published a blog about these and our 2025 plans here: !.
0
4
8
RT @royalhansen: The OSS-Fuzz team at @Google is using AI-powered fuzzing to find vulns in open-source software and recently reported 26 ne….
security.googleblog.com
Posted by Oliver Chang, Dongge Liu and Jonathan Metzman, Google Open Source Security Team Recently, OSS-Fuzz reported 26 new vulnerabilities...
0
25
0
RT @argvee: On the heels of @Google’s ‘Big Sleep’ AI discovery of a real-world vulnerability, our OSS-Fuzz team identified and reported 26….
security.googleblog.com
Posted by Oliver Chang, Dongge Liu and Jonathan Metzman, Google Open Source Security Team Recently, OSS-Fuzz reported 26 new vulnerabilities...
0
30
0
New blog post about OSS-Fuzz AI-powered fuzzing is live!. We talk about what went into making LLMs work well enough for this use case to find 26 new vulnerabilities (including a CVE in OpenSSL), as well as what else we have planned to make this better.
security.googleblog.com
Posted by Oliver Chang, Dongge Liu and Jonathan Metzman, Google Open Source Security Team Recently, OSS-Fuzz reported 26 new vulnerabilities...
0
27
111
Red Hat joins OSV! Combined with Ubuntu, Chainguard, and SUSE adopting OSV this year, has really started to become a comprehensive vulnerability source for not only language packages, but also Linux distros!.
0
2
7
CVE-2024-9143 ( was disclosed recently, which was found by OSS-Fuzz-Gen! This is a pretty proud example of our team showing the promise of leveraging LLMs enable more fuzzing coverage.
0
23
123
OSV support announced in the latest Ubuntu 24.10 release! . This year has seen OSV adoption from many Linux distributions, and the database is starting to become a really comprehensive source of accurate vuln info across major open source ecosystems!.
Today, we proudly unveil Ubuntu 24.10, codenamed "Oracular Oriole" 🔮 . Packed with GNOME 47, the Linux 6.11 kernel, permissions prompting, an enhanced command line, OpenVEX and OSV support, and a special #Ubuntu20Years anniversary gift - there’s plenty for you to explore 🚀
0
3
6
One week later the bug count is now at 25 bugs total (. There's still many improvements to be made to improve success rate of generated targets, but we now have the problem of too many crashes to triage. Automating this will a focus of our future research.
This week we've added another 8 trophies to OSS-Fuzz-Gen (for a total of 14)! These are vulnerabilities found by LLM-generated harnesses. The interesting bit here is many of these are in well-fuzzed projects with thousands of hours of fuzzing already.
1
10
46
Sadly triaging findings by LLM-generated harnesses is fairly manual and time consuming. e.g. Some generated harnesses may not be valid. We have some work ongoing to auto-triage the results (using LLMs) and to steer LLMs away from generating bad harnesses.
0
1
11
This week we've added another 8 trophies to OSS-Fuzz-Gen (for a total of 14)! These are vulnerabilities found by LLM-generated harnesses. The interesting bit here is many of these are in well-fuzzed projects with thousands of hours of fuzzing already.
3
21
100
Second OSS-Fuzz blog post on fuzz harness generation for Java! We've been quiet for a while but have a few interesting posts coming in the pipeline about our research.
blog.oss-fuzz.com
Introducing LLM-based harness generation for Java OSS-Fuzz projects.
0
28
104
RT @JordiMonPMM: Yesterday we announced that our security advisory feed was being now published following the OSV schema. This was a hercul….
0
5
0
RT @infernosec: The @DARPA #AIxCC will help design new #AI systems to secure major open source projects that our critical infrastructure re….
security.googleblog.com
Oliver Chang, Jonathan Metzman, OSS-Fuzz and Alex Rebert, Security Engineering The US Defense Advanced Research Projects Agency, DARPA , rec...
0
23
0
Very excited that Ubuntu now officially supports the OSV format! .
2
4
16