Someone from Google logged a case offering to add Calcite to the OSS-Fuzz program. (I work for Google but was not aware that we were being considered.)
https://issues.apache.org/jira/browse/CALCITE-5781 How do people feel about participating in this program? I think that it could improve our security significantly, but it will take work. The fuzzer might generate a lot of false negatives. It might also generate quite a few genuine security issues that we will need to respond to appropriately. As an all-volunteer project it might put a strain on us. Julian