Ever wonder how many vulnerabilities are still lurking in “well-tested” code?

Here’s a clue: Google’s Open Source Security Team used AI-powered fuzzing to uncover 26 new vulnerabilities, including a critical bug in OpenSSL (CVE-2024-9143)—a piece of software so foundational it practically holds the internet’s hand.

AI mimicking bug hunter drudgery at scale

…or “fuzz testing seems cool till you try it with non-trivial targets”

• Generate and refine fuzz targets

• Emulate the steps a human developer would take: draft, debug, iterate, repeat

The results?

• 370,000+ lines of new code coverage

• Across 270 projects

A key takeaway:

Next time someone claims full code coverage fuzz testing, ask: “What about state coverage?”

Just because a function gets executed doesn’t mean every input, flag, or configuration has been tested. AI-generated fuzz targets dig deeper, exploring states and edge cases that human-written tests often miss. That’s how vulnerabilities hide in plain sight—even in code fuzzed for years.

So, what’s next?

• Fully automated bug triaging and patching

• AI agents that can plan, debug, and validate autonomously

No local LLM support yet, but…

Since it supports inference with OpenAI models (and more), getting it working with local LLMs to fuzz your uber sekret codez shouldn't be a big lift.

Check out the open-source oss-fuzz-gen and explore AI-powered fuzzing for yourself.