Why
.github/oss-fuzz/project.yaml ships with placeholder contact addresses:
```yaml
primary_contact: "security@example.invalid"
auto_ccs:
These need to be real maintainer emails before submitting to google/oss-fuzz — OSS-Fuzz emails the listed contacts directly when crashes are found, with an embargo of 90 days from notification. Bad contact = no notification = embargo expires unnoticed.
What's blocking
This is an external-contact decision (whose inbox monitors OSS-Fuzz reports?) that lives outside the codebase. Owner needs to pick the address(es) before the submission moves forward.
Reference
docs/security/OSS_FUZZ.md — the integration plan, checklist, and `.github/oss-fuzz/` directory layout.- Sprint 10 carries the submission as a separate task in
SprintPlanning.md.
Next steps after this is unblocked
- Update
project.yaml with the real contact(s).
- Fork google/oss-fuzz.
- Create
projects/ghidra-decompiler/ containing the three files from this repo's .github/oss-fuzz/.
- Open the upstream PR per their
CONTRIBUTING.md.
- Verify the first trial-run on OSS-Fuzz infrastructure.
- Repeat for
projects/ghidra-loader/ (JVM project, Jazzer harnesses) once the C++ side is green.
Why
.github/oss-fuzz/project.yamlships with placeholder contact addresses:```yaml
primary_contact: "security@example.invalid"
auto_ccs:
```
These need to be real maintainer emails before submitting to google/oss-fuzz — OSS-Fuzz emails the listed contacts directly when crashes are found, with an embargo of 90 days from notification. Bad contact = no notification = embargo expires unnoticed.
What's blocking
This is an external-contact decision (whose inbox monitors OSS-Fuzz reports?) that lives outside the codebase. Owner needs to pick the address(es) before the submission moves forward.
Reference
docs/security/OSS_FUZZ.md— the integration plan, checklist, and `.github/oss-fuzz/` directory layout.SprintPlanning.md.Next steps after this is unblocked
project.yamlwith the real contact(s).projects/ghidra-decompiler/containing the three files from this repo's.github/oss-fuzz/.CONTRIBUTING.md.projects/ghidra-loader/(JVM project, Jazzer harnesses) once the C++ side is green.