Merge bitcoin/bitcoin#21856: doc: add OSS-Fuzz section to fuzzing.md doc

47c3ea021e doc: add OSS-Fuzz section to fuzzing.md doc (Adam Jonas) Pull request description: This adds documentation about [Bitcoin Core's participation](https://github.com/google/oss-fuzz/pull/5699/files) in Google's OSS-Fuzz program and adds the caveat that the project may not disclose vulnerabilities within the 90-day window described in the [program's disclosure guidelines](https://google.github.io/oss-fuzz/getting-started/bug-disclosure-guidelines/). ACKs for top commit: jonatack: ACK 47c3ea021e Tree-SHA512: 87bf0146fb74d1e4b3b8839e6c8f3d53046008a6d5b926ffe5b95be3c396a5e47e47967533422f60b04c4446482f49d210ada410b742f69781a7afde623d704d
2024-11-19 18:09:47 +01:00 · 2021-05-05 16:33:56 +02:00 · 2021-05-05 16:33:56 +02:00 · 576300afb0
commit 576300afb0
parent 54617fad99 47c3ea021e
1 changed files with 12 additions and 0 deletions
--- a/doc/fuzzing.md
+++ b/doc/fuzzing.md
@ -230,3 +230,15 @@ $ honggfuzz/honggfuzz --exit_upon_crash --quiet --timeout 4 -n 1 -Q \
                       -nodebuglogfile -bind=127.0.0.1:18444 -logthreadnames \
                       -debug
 ```
+
+# OSS-Fuzz
+
+Bitcoin Core participates in Google's [OSS-Fuzz](https://github.com/google/oss-fuzz/tree/master/projects/bitcoin-core)
+program, which includes a dashboard of [publicly disclosed vulnerabilities](https://bugs.chromium.org/p/oss-fuzz/issues/list).
+Generally, we try to disclose vulnerabilities as soon as possible after they
+are fixed to give users the knowledge they need to be protected. However,
+because Bitcoin is a live P2P network, and not just standalone local software,
+we might not fully disclose every issue within Google's standard
+[90-day disclosure window](https://google.github.io/oss-fuzz/getting-started/bug-disclosure-guidelines/)
+if a partial or delayed disclosure is important to protect users or the
+function of the network.