Dear OpenLDAP team,

My name is Yunhang Zhang, working with Prof. Jun Xu at the University of Utah (CS).

We recently reported a NULL pointer dereference issue to OpenLDAP (Bug 10429), which was fixed in merge request [826](https://git.openldap.org/openldap/openldap/-/merge_requests/826) . Thank you for the prompt fix.

I’m writing to discuss potential ongoing fuzzing and security contributions and to ask for guidance on the preferred process. We are part of the DARPA AI Cyber Challenge (AIxCC) finalist team “42-b3yond-6ug,” where we developed an AI-driven Cyber Reasoning System (CRS) that automatically generates fuzzing harnesses and discovers vulnerabilities in large C/C++ codebases.

Applying this system to OpenLDAP so far, we have:

* Generated LibFuzzer-compatible fuzzing harnesses targeting public OpenLDAP APIs * Validated the harnesses against documented interfaces * Integrated the harnesses into OSS-Fuzz for continuous testing

Our draft OSS-Fuzz integration is available here: https://github.com/google/oss-fuzz/pull/14872

At present, this work lives entirely in OSS-Fuzz and does not modify the OpenLDAP source tree. We are continuing to verify additional harnesses and investigate findings; any confirmed bugs and corresponding patches will be submitted through the Issue Tracking System in accordance with the contribution guidelines.

The goal is to improve long-term robustness and security coverage with minimal maintenance overhead for the OpenLDAP project. We believe broader fuzzing coverage can help detect regressions and subtle issues earlier over time.

We would appreciate guidance from the community on whether this approach aligns with OpenLDAP’s expectations, and whether there are preferences regarding API scope, exclusions, or future in-tree fuzzing contributions.

Thanks for your time and for maintaining OpenLDAP.

Best regards, Yunhang Zhang University of Utah (on behalf of the 42-b3yond-6ug / DARPA AIxCC team)