ClusterFuzz does not automatically convert MiraclePtr-protected crashes to functional bugs #4903
Description
| Field | Suggestion |
|---|---|
| Labels | enhancement |
| Assignees | @ArthurSonzogni |
| CC | @letitz, @alhijazi, @paulsemel |
According to the Chromium security severity guidelines, crashes protected by MiraclePtr should not be treated as security issues. Instead, they should be converted to functional bugs (i.e., type:Bug) and assigned to the relevant engineering team.
Currently, ClusterFuzz can correctly identify MiraclePtr-protected crashes and apply the MiraclePtr-Protected hotlist. However, it does not automatically change the issue type from a security bug to a functional bug, nor does it adjust the severity. This requires manual intervention from security triagers.
The proposed solution is to modify the crash analysis logic. Instead of only applying a hotlist at issue filing time, the MiraclePtr status should be mapped directly to the issue_labels metadata during the initial crash analysis. This will ensure that when a bug is filed for a MiraclePtr-protected crash, it is immediately and correctly categorized as a non-security functional bug.
This change would streamline the bug triage process and ensure developers are only prioritizing the most critical vulnerabilities first.
Affected Code:
The investigation ppoints to the following areas of the codebase:
src/clusterfuzz/_internal/issue_management/issue_filer.py: This file is responsible for filing the issue. The logic for determining MiraclePtr status and applying labels/hotlists is here.- The crash analysis part of the code, which runs before the issue filer. The suggestion is to hook into this part to add the
issue_labelsmetadata.
Related bug: https://crbug.com/40930527