lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Hi Lua team,

I have worked on Lua security recently with the intentions of setting up
continuous fuzzing of Lua by way of OSS-Fuzz. The goal is to use
automated test-case generation by way of fuzzing to catch any
undesirable bugs in Lua.

OSS-Fuzz is a service provided by Google
( that performs continuous fuzzing of
important open source projects. In essence, the idea is that you can
integrate a project by writing fuzzers for it and then have Google run
the fuzzers over and over again. This is an excellent way to find bugs
and security vulnerabilities in projects, and many well-known open
source projects are integrated (see full list here:

Once a bug is found, an email is sent with information about bug
details, e.g. stack trace, trigger input and sanitizers reports, which
is very helpful in the root-cause analysis process. The only caveat is
that there is a 90 day disclosure time, so bugs will be made visible to
the public within after 90 days of being found. It also possible to set
it up such that bugs are made visible to all instantly when they are found.

I have done the necessary work to integrate Lua into OSS-Fuzz, meaning I
have written a fuzzer for Lua as well as the infrastructure necessary to
integrate into OSS-Fuzz. You can find this logic in a PR on the OSS-Fuzz
repository here:

Would you be happy to integrate Lua into this project? If so, the only
thing I would need is an email(s) that will receive the bug-reports, or,
alternatively a "go" from the maintainers that bugs should be made
visible to the public when found. I am happy to maintain the fuzzer and
infrastructure from the OSS-Fuzz side of things.

Let me know what you think.

Kind regards,


ADA Logics Ltd is registered in England. No: 11624074.
Registered office: 266 Banbury Road, Post Box 292,
OX2 7DL, Oxford, Oxfordshire , United Kingdom