On Thu, May 13, 2021 at 1:22 PM Alan Bateman <alan.bate...@oracle.com> wrote:
> The workflow is shown on the Vulnerability Group page [1]. There isn't a > repo that you can test commits on before the publication date. > > -Alan > > [1] https://openjdk.java.net/groups/vulnerability/ > Based on the information on that page, there should be no conflict between the OpenJDK and the OSS-Fuzz policies regarding disclosures ( https://google.github.io/oss-fuzz/getting-started/bug-disclosure-guidelines/ ). Is there anyone who would volunteer to receive the finding reports? Every report comes with a stack trace and the exact input that reproduces the finding with the fuzzer, i.e., is immediately actionable. Examples of such reports for fixed bugs can be found at https://bugs.chromium.org/p/oss-fuzz/issues/list?q=proj%3A%22json-sanitizer%22%20OR%20proj%3A%22fastjson2%22%20OR%20proj%3A%22jackson-core%22%20OR%20proj%3A%22jackson-dataformats-binary%22%20or%20proj%3A%22apache-commons%22&can=1