> <i>Since then, afl-fuzz helped to squash hundreds of bugs, in part due to a community of folks who found the tool to be fun to use.</i><p>I wonder whether a tool as unexpectedly successful as this presents the security community with a weird dilemma: If so many people have begun to use afl-fuzz, find problems, and report them, can't we expect that just as many people find problems and <i>don't report them</i>?<p>Now, my security expertise goes as far as "don't roll your own", so maybe all the bugs found were, in practice, relatively difficult to exploit. But could afl-fuzz have helped scores of blackhatters to find and abuse the next shellshocks? If so, in hindsight, was it actually a good move to release afl-fuzz so openly and enthusiastically?
The more I have heard of this guy's work, the more disturbed I am by his skill, breadth, and depth in InfoSec.<p>Not to mention his insane CNC and robotics work. And that is just a freaking hobby to him.<p><a href="https://duckduckgo.com/html?q=lcamtuf%20cnc" rel="nofollow">https://duckduckgo.com/html?q=lcamtuf%20cnc</a>