English

Following Dragons: Code Review-Guided Fuzzing

Cryptography and Security 2026-02-12 v1 Software Engineering

Abstract

Modern fuzzers scale to large, real-world software but often fail to exercise the program states developers consider most fragile or security-critical. Such states are typically deep in the execution space, gated by preconditions, or overshadowed by lower-value paths that consume limited fuzzing budgets. Meanwhile, developers routinely surface risk-relevant insights during code review, yet this information is largely ignored by automated testing tools. We present EyeQ, a system that leverages developer intelligence from code reviews to guide fuzzing. EyeQ extracts security-relevant signals from review discussions, localizes the implicated program regions, and translates these insights into annotation-based guidance for fuzzing. The approach operates atop existing annotation-aware fuzzing, requiring no changes to program semantics or developer workflows. We first validate EyeQ through a human-guided feasibility study on a security-focused dataset of PHP code reviews, establishing a strong baseline for review-guided fuzzing. We then automate the workflow using a large language model with carefully designed prompts. EyeQ significantly improves vulnerability discovery over standard fuzzing configurations, uncovering more than 40 previously unknown bugs in the security-critical PHP codebase.

Keywords

Cite

@article{arxiv.2602.10487,
  title  = {Following Dragons: Code Review-Guided Fuzzing},
  author = {Viet Hoang Luu and Amirmohammad Pasdar and Wachiraphan Charoenwet and Toby Murray and Shaanan Cohney and Van-Thuan Pham},
  journal= {arXiv preprint arXiv:2602.10487},
  year   = {2026}
}
R2 v1 2026-07-01T10:31:09.454Z