Glossary

Triage

The workflow of reviewing, prioritizing, and reproducing crashes found by a fuzzer to determine exploitability and root cause.

Triage is the human-and-tool process that converts raw fuzzer crashes into actionable bug reports. A typical triage workflow proceeds in stages: first, crash deduplication to collapse thousands of crash inputs into unique bugs by stack-trace signature; second, automated reproduction to confirm each crash is deterministic and record the exact sanitizer output; third, severity classification — is this a heap overflow (critical) or a null dereference in error handling (low)?; fourth, root-cause analysis to identify the vulnerable code path. AddressSanitizer output — fault type, allocation trace, free trace — is the primary artifact. Tools like `afl-tmin` and libFuzzer's `-minimize_crash=1` mode shrink crash inputs to their minimal reproducer, which makes manual root-cause analysis significantly faster. Triage backlogs are the most common operational bottleneck in mature fuzzing programmes.

Crash Deduplication

The process of grouping distinct crash inputs that trigger the same underlying bug into a single unique report.

Reproducer

A minimal input (and the command to run it) that reliably triggers a specific crash or bug found by the fuzzer.

AddressSanitizer (ASan)

A fast memory-error detector that catches heap/stack buffer overflows, use-after-free, and similar bugs at runtime.

Fuzz Testing

Automated software testing that generates many semi-random inputs to find crashes, hangs, and security vulnerabilities.

Coverage-Guided Fuzzing

A fuzzing strategy that uses runtime code coverage feedback to steer input mutation toward unexplored code paths.

Triage

Related