> <i>Since then, afl-fuzz helped to squash hundreds of bugs, in part due to a community of folks who found the tool to be fun to use.</i><p>I wonder whether a tool as unexpectedly successful as this presents the security community with a weird dilemma: If so many people have begun to use afl-fuzz, find problems, and report them, can't we expect that just as many people find problems and <i>don't report them</i>?<p>Now, my security expertise goes as far as "don't roll your own", so maybe all the bugs found were, in practice, relatively difficult to exploit. But could afl-fuzz have helped scores of blackhatters to find and abuse the next shellshocks? If so, in hindsight, was it actually a good move to release afl-fuzz so openly and enthusiastically?