whatisgithub

What is oss-fuzz?

google/oss-fuzz — explained in plain English

Analysis updated 2026-06-24

12,244ShellAudience · developerComplexity · 4/5Setup · hard

In one sentence

OSS-Fuzz is Google's free continuous fuzz-testing service that automatically throws random inputs at open source software to find crashes, memory errors, and security vulnerabilities at scale.

Mindmap

mindmap
  root((oss-fuzz))
    What it does
      Continuous fuzz testing
      Free for open source
      Crash and bug finding
    How it works
      Random malformed inputs
      Instrumented builds
      Multiple fuzz engines
    Languages Supported
      C and C++
      Python and Go
      Rust Java JavaScript
    Getting Started
      Write build integration
      Submit pull request
      Crashes reported to devs
    Audience
      Open source maintainers
      Security researchers
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Integrate your open source C or C++ library into Google's OSS-Fuzz for free continuous security testing.

USE CASE 2

Find memory safety bugs and security vulnerabilities in your software before attackers do.

USE CASE 3

Run ClusterFuzz on your own infrastructure to apply the same fuzzing approach to private projects.

What is it built with?

ShellCC++PythonGoRustJavaJavaScript

How does it compare?

google/oss-fuzzpystardust/ani-cli89luca89/distrobox
Stars12,24412,38612,405
LanguageShellShellShell
Setup difficultyhardeasyeasy
Complexity4/52/52/5
Audiencedevelopergeneralops devops

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · hard Time to first run · 1day+

Joining OSS-Fuzz requires writing a build integration file and submitting a pull request to the oss-fuzz repository.

So what is it?

OSS-Fuzz is a free service run by Google that continuously tests open source software projects for bugs by throwing massive amounts of random and malformed inputs at them. This technique, called fuzz testing, is effective at finding crashes, memory errors, and security vulnerabilities that ordinary testing would miss because developers tend to test expected inputs rather than bizarre edge cases. Google originally developed this approach internally to harden Chrome and found thousands of serious bugs. OSS-Fuzz extends that same infrastructure to the broader open source community at no cost. By May 2025, the service had helped identify and fix over 13,000 vulnerabilities and 50,000 bugs across more than 1,000 projects. The system works by running programs in specially instrumented ways, using tools that catch memory access errors, data races, and other common problems the moment they occur. It supports several different fuzzing engines, which are the programs that generate and mutate inputs, and works with code written in C, C++, Rust, Go, Python, Java, JavaScript, and Lua. Open source projects that want to join OSS-Fuzz write a small integration that tells the system how to build and run their code in fuzzing mode. Once integrated, the project's code is tested continuously on Google's infrastructure, and any crashes found are reported to the project's developers. Projects that do not qualify for the free service can run the same underlying tool, called ClusterFuzz, on their own infrastructure.

Copy-paste prompts

Prompt 1
Show me how to write an OSS-Fuzz build integration for a C++ library so it can be submitted for continuous testing.
Prompt 2
Walk me through submitting a new project to OSS-Fuzz: what files do I need to create and what does the pull request look like?
Prompt 3
What types of bugs does fuzz testing find that unit tests typically miss, and how does OSS-Fuzz detect them?
Prompt 4
How does ClusterFuzz work under the hood, and what does it mean when a fuzzing engine reports a crash?

Frequently asked questions

What is oss-fuzz?

OSS-Fuzz is Google's free continuous fuzz-testing service that automatically throws random inputs at open source software to find crashes, memory errors, and security vulnerabilities at scale.

What language is oss-fuzz written in?

Mainly Shell. The stack also includes Shell, C, C++.

How hard is oss-fuzz to set up?

Setup difficulty is rated hard, with roughly 1day+ to a first successful run.

Who is oss-fuzz for?

Mainly developer.

Open on GitHub → Ask about another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.