OpenSSF is welcoming OSS-CRS, an open source framework that emerged from DARPA's AIxCC competition, into its AI/ML Security Working Group. OSS-CRS provides a standard orchestration layer for building and running LLM-based autonomous bug-finding and bug-fixing systems. Key features include a unified CRS interface, OSS-Fuzz compatibility, ensemble support for combining multiple CRS approaches, and resource controls for CPU and LLM budgets. The project has already found 25 vulnerabilities across 16 open source projects. Research shows 20-40% of AI-generated patches are semantically incorrect despite passing automated validation, highlighting the need for human review. The Ensemble feature addresses this by combining patches from multiple CRS approaches to improve semantic correctness.
Sort: