google · david-a-wheeler · May 5, 2026
diff --git a/projects/best-practices-badge/Dockerfile b/projects/best-practices-badge/Dockerfile
@@ -0,0 +1,14 @@
+# Copyright 2026 the Linux Foundation and the
+# OpenSSF Best Practices badge contributors
+# SPDX-License-Identifier: MIT
+
+FROM gcr.io/oss-fuzz-base/base-builder-ruby
+
+# commonmarker ships a pre-built x86_64-linux native gem (backed by Rust/comrak),
+# so no Rust toolchain is required in this image.
+
+RUN git clone --depth=1 \
+    https://github.com/coreinfrastructure/best-practices-badge.git \
+    "$SRC/best-practices-badge"
+
+COPY build.sh "$SRC/"
diff --git a/projects/best-practices-badge/README.md b/projects/best-practices-badge/README.md
@@ -0,0 +1,36 @@
+# OpenSSF Best Practices Badge — OSS-Fuzz integration
+
+The [OpenSSF Best Practices Badge](https://www.bestpractices.dev/) is the
+Linux Foundation / OpenSSF's official security-badging system for free and
+open source software. Over 10,000 open source projects have registered,
+including critical infrastructure such as the Linux kernel, curl, OpenSSL,
+Node.js, and Kubernetes. The badge criteria are a widely-used
+scheme for demonstrating secure development practices.
+The software supports both its own "metal" criteria (passing, silver, gold)
+derived from secure OSS practices, and the "baseline" criteria
+(baseline-1, baseline-2, baseline-3) derived from recommendations from
+regulations, government guides, and similar materials on how to secure
+OSS. We generally encourage projects to do both eventually.
+
+## Current Fuzz targets
+
+| Target | Source | What it exercises |
+|---|---|---|
+| `fuzz_url_validator` | `app/validators/url_validator.rb` | Custom URL regex, percent-decode pipeline, UTF-8 encoding validation |
+| `fuzz_markdown_processor` | `app/lib/markdown_processor.rb`, `app/lib/invoke_commonmarker.rb` | Markdown fast-path regexes (ReDoS), CommonMarker HTML generation, URL-protocol sanitization (XSS prevention) |
+
+Harnesses live in `script/fuzz_*.rb` in the project repository and are
+referenced directly by `build.sh` so they stay in sync with source changes.
+
+We expect this to grow over time; this is a starting point.
+
+## Fuzzing stack
+
+- **Language:** Ruby
+- **Library:** [Ruzzy](https://github.com/trailofbits/ruzzy) (Trail of Bits)
+- **Engine:** libFuzzer
+- **Sanitizers:** AddressSanitizer, UndefinedBehaviorSanitizer
+
+## Reporting vulnerabilities
+
+Use the [GitHub private vulnerability reporting form](https://github.com/coreinfrastructure/best-practices-badge/security/advisories/new).
diff --git a/projects/best-practices-badge/build.sh b/projects/best-practices-badge/build.sh
@@ -0,0 +1,56 @@
+#!/bin/bash -eu
+# Copyright 2026 the Linux Foundation and the
+# OpenSSF Best Practices badge contributors
+# SPDX-License-Identifier: MIT
+#
+# OSS-Fuzz build script for best-practices-badge.
+# Runs inside gcr.io/oss-fuzz-base/base-builder-ruby.
+# See https://google.github.io/oss-fuzz/getting-started/new-project-guide/
+#
+# To test locally:
+#   python3 infra/helper.py build_image best-practices-badge
+#   python3 infra/helper.py build_fuzzers --sanitizer address best-practices-badge
+#   python3 infra/helper.py check_build best-practices-badge
+#   python3 infra/helper.py run_fuzzer best-practices-badge fuzz_url_validator
+
+# Install activemodel (+ activesupport chain) for fuzz_url_validator.
+# No database or full Rails stack is needed; activemodel is self-contained.
+gem install activemodel -v '8.1.3' \
+    --install-dir "$GEM_HOME" \
+    --verbose
+
+# Install commonmarker for fuzz_markdown_processor.
+# The gem ships a pre-built x86_64-linux native extension,
+# so no Rust toolchain is needed.
+gem install commonmarker -v '2.6.3' \
+    --install-dir "$GEM_HOME" \
+    --verbose
+
+# Build fuzz targets.  ruzzy-build (provided by base-builder-ruby) copies each
+# .rb harness to $OUT and writes a shell wrapper that sets GEM_HOME and invokes
+# the ruzzy driver — that wrapper is what OSS-Fuzz/ClusterFuzz actually runs.
+ruzzy-build "$SRC/best-practices-badge/script/fuzz_url_validator.rb"
+ruzzy-build "$SRC/best-practices-badge/script/fuzz_markdown_processor.rb"
+
+# Seed corpora help the fuzzer reach interesting paths faster.
+mkdir -p "$WORK/seed_url"
+printf ''                                                           > "$WORK/seed_url/empty"
+printf 'https://www.example.com'                                   > "$WORK/seed_url/simple"
+printf 'https://github.com/coreinfrastructure/best-practices-badge' > "$WORK/seed_url/long_path"
+printf 'https://example.com/foo%%20bar'                            > "$WORK/seed_url/encoded"
+printf 'http://example.com:8080/a/b/c'                             > "$WORK/seed_url/port"
+printf 'not-a-url'                                                 > "$WORK/seed_url/invalid"
+zip -j "$OUT/fuzz_url_validator_seed_corpus.zip" "$WORK/seed_url/"*
+
+mkdir -p "$WORK/seed_md"
+printf 'Simple plain text.'                                        > "$WORK/seed_md/plain"
+printf 'https://www.example.com'                                   > "$WORK/seed_md/bare_url"
+printf 'View more at: https://www.example.com/path?q=1'            > "$WORK/seed_md/prefixed_url"
+printf '**bold** and _italic_ text'                                > "$WORK/seed_md/formatting"
+printf '[link](https://example.com)'                               > "$WORK/seed_md/link"
+printf '| H1 | H2 |\n|----|----|\n| a  | b  |'                    > "$WORK/seed_md/table"
+printf '`inline code`'                                             > "$WORK/seed_md/code"
+printf '> block quote'                                             > "$WORK/seed_md/blockquote"
+printf '<script>alert(1)</script>'                                  > "$WORK/seed_md/xss_attempt"
+printf '[x](javascript:alert(1))'                                  > "$WORK/seed_md/bad_protocol"
+zip -j "$OUT/fuzz_markdown_processor_seed_corpus.zip" "$WORK/seed_md/"*
diff --git a/projects/best-practices-badge/project.yaml b/projects/best-practices-badge/project.yaml
@@ -0,0 +1,17 @@
+homepage: https://www.bestpractices.dev
+language: ruby
+primary_contact: dwheeler@linuxfoundation.org
+main_repo: https://github.com/coreinfrastructure/best-practices-badge
+file_github_issue: true
+help_url: https://github.com/coreinfrastructure/best-practices-badge/security/advisories/new
+
+# Ruzzy (the Ruby fuzzing library) is built on libFuzzer.
+# AFL, honggfuzz, and centipede are not compatible with Ruzzy harnesses.
+fuzzing_engines:
+  - libfuzzer
+
+# MemorySanitizer requires every dependency to be fully instrumented and
+# is not compatible with Ruby's native C/Rust extensions.
+sanitizers:
+  - address
+  - undefined