Following Dragons: Code Review-Guided Fuzzing
Abstract
Modern fuzzers scale to large, real-world software but often fail to exercise the program states developers consider most fragile or security-critical. Such states are typically deep in the execution space, gated by preconditions, or overshadowed by lower-value paths that consume limited fuzzing budgets. Meanwhile, developers routinely surface risk-relevant insights during code review, yet this information is largely ignored by automated testing tools. We present EyeQ, a system that leverages developer intelligence from code reviews to guide fuzzing. EyeQ extracts security-relevant signals from review discussions, localizes the implicated program regions, and translates these insights into annotation-based guidance for fuzzing. The approach operates atop existing annotation-aware fuzzing, requiring no changes to program semantics or developer workflows. We first validate EyeQ through a human-guided feasibility study on a security-focused dataset of PHP code reviews, establishing a strong baseline for review-guided fuzzing. We then automate the workflow using a large language model with carefully designed prompts. EyeQ significantly improves vulnerability discovery over standard fuzzing configurations, uncovering more than 40 previously unknown bugs in the security-critical PHP codebase.
Cite
@article{arxiv.2602.10487,
title = {Following Dragons: Code Review-Guided Fuzzing},
author = {Viet Hoang Luu and Amirmohammad Pasdar and Wachiraphan Charoenwet and Toby Murray and Shaanan Cohney and Van-Thuan Pham},
journal= {arXiv preprint arXiv:2602.10487},
year = {2026}
}