OSS-CRS
Cyber Reasoning Systems for Bug-Finding and Patching
in Open Source Software
Overview
OSS-CRS is an open framework for running Cyber Reasoning Systems against OSS-Fuzz-style targets. A CRS is an agentic system that combines LLM reasoning with traditional security techniques to autonomously find and patch bugs in software. OSS-CRS provides a unified CLI and compose file interface for orchestrating bug-finding fuzzers, LLM-powered bug-fixing agents, triage systems, and seed generators, letting you mix and match components from the registry or bring your own, all against the same target project.
Quick Start
OSS-CRS works with projects that follow the OSS-Fuzz project structure. Make sure you have Python 3.10+, Docker, git, and uv installed.
1. Clone OSS-Fuzz for project environments
git clone --depth=1 --filter=blob:none --no-checkout https://github.com/google/oss-fuzz.git
cd oss-fuzz
git sparse-checkout init --cone
git sparse-checkout set projects
git checkout
cd ..
2. Set up your machine (optional)
Configures LLM provider credentials and system resource isolation. Both steps are interactive and can be skipped.
uv run oss-crs setup
3. Run a baseline CRS
crs-libfuzzer is a lightweight CRS that runs libFuzzer on the target. It needs no LLM credentials and is a good baseline.
# Prepare the CRS
uv run oss-crs prepare \
--compose-file ./example/crs-libfuzzer/compose.yaml
# Build the target project
uv run oss-crs build-target \
--compose-file ./example/crs-libfuzzer/compose.yaml \
--fuzz-proj-path ./oss-fuzz/projects/libxml2
# Run the CRS against the "xml" harness
uv run oss-crs run \
--compose-file ./example/crs-libfuzzer/compose.yaml \
--fuzz-proj-path ./oss-fuzz/projects/libxml2 \
--target-harness xml
4. Run an LLM-backed CRS
For LLM-backed CRSs, export provider keys (or put them in .env) and use one of the multi-language Atlantis examples.
# export OPENAI_API_KEY=<your-openai-key>
# export GEMINI_API_KEY=<your-gemini-key>
# export ANTHROPIC_API_KEY=<your-anthropic-key>
uv run oss-crs prepare \
--compose-file ./example/atlantis-multilang-wo-concolic/compose.yaml
uv run oss-crs build-target \
--compose-file ./example/atlantis-multilang-wo-concolic/compose.yaml \
--fuzz-proj-path ./oss-fuzz/projects/libxml2
uv run oss-crs run \
--compose-file ./example/atlantis-multilang-wo-concolic/compose.yaml \
--fuzz-proj-path ./oss-fuzz/projects/libxml2 \
--target-harness xml
See LLM configuration for full provider details.
5. Run Claude Code CRSs with OAuth
We also provide configurations for running our Claude Code bug-finding and patching CRSs using an OAuth token, which can be generated by a user with an Anthropic subscription.
claude setup-token
# Export the token, or add it to a .env file in your working directory
export CLAUDE_CODE_OAUTH_TOKEN=<your-oauth-token>
Bug-finding with Claude Code:
uv run oss-crs prepare \
--compose-file ./example/crs-bug-finding-claude-code/compose-oauth.yaml
uv run oss-crs build-target \
--compose-file ./example/crs-bug-finding-claude-code/compose-oauth.yaml \
--fuzz-proj-path ./oss-fuzz/projects/libxml2
uv run oss-crs run \
--compose-file ./example/crs-bug-finding-claude-code/compose-oauth.yaml \
--fuzz-proj-path ./oss-fuzz/projects/libxml2 \
--target-harness xml
Bug-fixing (patching) with Claude Code against a provided PoV:
uv run oss-crs prepare \
--compose-file ./example/crs-claude-code/compose-oauth.yaml
uv run oss-crs build-target \
--compose-file ./example/crs-claude-code/compose-oauth.yaml \
--fuzz-proj-path ./oss-fuzz/projects/libxml2
uv run oss-crs run \
--compose-file ./example/crs-claude-code/compose-oauth.yaml \
--fuzz-proj-path ./oss-fuzz/projects/libxml2 \
--target-harness xml \
--pov $PATH_TO_POV
Next steps
- Browse the CRS Registry — pick a registered CRS to plug into your compose file.
- Build your own CRS — package a bug-finding or bug-fixing tool behind the OSS-CRS lifecycle.
- Host setup — configure LLM proxy routing and cgroup resource isolation.
- Architecture notes — main components and lifecycle.
OSS-CRS is a sandbox project in the OpenSSF