AI patches (beta)
For certain classes of vulnerabilities, OSS-Fuzz now delivers high-quality, AI-proposed patches along with bugs. The patches are generated by CodeMender, an AI coding security agent from Google DeepMind.
This document describes the benefits of this new functionality, its scope, and how you can use it.
Why AI-proposed patches?
Agentic code scanning has the potential to improve the security posture of the open-source ecosystem. But we know that open source maintainers are overwhelmed by AI-generated submissions. Maintainers need new ways to take advantage of the time-saving power of AI: secure bug fixes that don’t need intensive review to validate.
Through OSS-Fuzz’s use of CodeMender, you get ready-made patches that help relieve the burden of securing your projects. The patches reduce your risk exposure by decreasing the time to getting a viable fix deployed.
Scope of beta
You will only receive an AI-proposed patch along with a bug if the following are true:
- You have already onboarded your project to OSS-Fuzz
- Your project’s submission policy doesn’t prohibit AI-generated submissions
- The bug is related to memory safety in a C or C++ project
- OSS-Fuzz found a reproducible vulnerability
How it works
When OSS-Fuzz finds a vulnerability, the system feeds the crash details and source code context directly into CodeMender. The CodeMender agent analyzes the flaw to develop multiple patch attempts, choosing the highest-quality patch candidate to promote to the next stage of the process.
Ensuring patch quality
Before sending you an AI-proposed patch, OSS-Fuzz follows a rigorous patch delivery process:
- We proactively check your repository’s guidelines before engaging; for example, if your project restricts AI code, we honor that choice and withhold submissions entirely.
- We verify that each patch works, testing every fix in an isolated environment to prove that it compiles cleanly and successfully resolves the crash.
- As a temporary measure during this beta phase, Google engineers known as patch shepherds personally review proposed patches to ensure they’re up to standard.
As part of their role, patch shepherds do the following:
- Review candidate patchsets for a given OSS-Fuzz vulnerability report, selecting a single patch to be submitted while giving feedback to the CodeMender team.
- Contact maintainers (in the context of OSS-Fuzz vulnerability reports) to include patches and land fixes
- Gather feedback from maintainers on what they want to see in vulnerability reports, patches & other supporting content, which is used to improve the UX for code maintainers and the performance of CodeMender as a patch generation agent.
Signing up and opting out
If your project is already onboarded to OSS-Fuzz:
- To sign up: You don’t need to do anything. When OSS-Fuzz finds a vulnerability, it will begin to deliver AI-proposed patches along with bugs that are in scope of the beta.
- To opt out: Update your submission policy to prohibit AI-generated submissions. Our systems will respect your policy. You can also opt out directly.
If your project is not onboarded, follow our guidance to onboard and configure your project for OSS-Fuzz. You’ll start receiving AI-proposed patches automatically, unless you opt out.
Reviewing AI-proposed patches
We recommend that you approach AI-proposed patches with the same rigor you would use for any other proposed submission. We have updated our bug fixing guidance to help you account for AI-proposed patches when you prioritize bugs.
Send feedback
Recipients of AI-proposed patches can provide insights and feedback to internal reviewers by collaborating through their preferred disclosure channels and the OSS Fuzz Buganizer Issue.
For broader feedback, participants can also open an OSS-Fuzz Github issue.