> but there are plenty of projects that managed to fuzz/test/audit their way to making it much harder to find serious vulnerabilities
Agreed! But I think those projects have certain things in common, like being tightly scoped, slowly developed, and built with safety in mind from day 1.
I don't think that any of the projects that have managed to meaningfully improve safety through fuzzing have the same qualities as projects like Firefox, Linux, etc.
Yep. It's notable that they failed to exploit it.
> but there are plenty of projects that managed to fuzz/test/audit their way to making it much harder to find serious vulnerabilities
Agreed! But I think those projects have certain things in common, like being tightly scoped, slowly developed, and built with safety in mind from day 1.
I don't think that any of the projects that have managed to meaningfully improve safety through fuzzing have the same qualities as projects like Firefox, Linux, etc.