OSS-CRS Tutorial A: Bug-Finding and Patching for the LLM Era
From the first-place team ($4M cash award) at AIxCC (AI Cyber Challenge)
Join our SVCC 2026 tutorial to uncover real attack vectors, defense strategies, and hands-on insights led by the first-place team from Georgia Institute of Technology at DARPA’s AI Cyber Challenge (AIxCC). Here is news coverage of the winning team from Atlanta.
When: June 12, 2026 from 10 a.m. to 4 p.m., excluding lunchtime
Tutorial Leader: Dr. Taesoo Kim, Professor, Georgia Institute of Technology
Dr. Taesoo Kim, Professor, Georgia Institute of Technology
Speakers: Andrew Chin (Ph.D) and Brian Lee (Ph.D), core members of Team Atlanta in the DARPA AI Cyber Challenge (AIxCC).
Short Bio: Andrew and Brian are Ph.D. students in the Systems Software and Security Lab at the Georgia Institute of Technology, advised by Prof. Taesoo Kim. Andrew is a core member of Team Atlanta, a multi-organizational collaboration that took first place in the DARPA AI Cyber Challenge (AIxCC). Building on the work from AIxCC, Andrew is leading a Team Atlanta effort — in partnership with the Open Source Security Foundation (OpenSSF) — to give back to the community by developing a unified framework and standard to advance the future of Cyber Reasoning System development. Brian's goal is to develop efficient bug-finding frameworks and automated vulnerability management systems, particularly for the open-source community, ultimately contributing to global security as a whole.
Andrew Chin (Ph.D)
Brian Lee (Ph.D)
Agenda
Introduction
Overview, Goals, and Features
This tutorial provides lab components, including hands-on exercises and demos.
Lab Environment Setup
Participants are expected to bring their own machines with Vagrant (https://developer.hashicorp.com/vagrant/install) installed. We will prepare and provide a Linux VM image.
Lab 1
Introduction to Fuzzing
Have hands-on experience running a fuzzer and watching it produce a crash
Give participants a project (or group of projects) that contains a bug discoverable by fuzzing
Provide an explanation of the bug and its root cause, helping participants understand the issue
Lab 2
Security Patching
Demonstrate automated security patching
Run a basic patching CRS and study the produced patch
Demonstrate that the patch fixes the security vulnerability found by the fuzzer
Lab 3
Limitations of Traditional Fuzzing
Demonstrate the limitations of the basic fuzzer
Give participants another project (or group of projects) that contains bugs that are hard to find via fuzzing
Lunch Break
Lab 4
Creating/Enhancing a CRS
Provide hands-on experience with CRS development
Emphasize the functions and components in CRS that help overcome the limits of fuzzers
Prompt engineering for an existing agentic CRS (Lab 4.1)
Overriding the compiler pass for bug finding (Lab 4.2)
Using static analysis to enhance agents (Lab 4.3)
Including additional tools that agents can utilize for deeper analysis (Lab 4.4)
Enhancing results through collaboration among agents (Lab 4.5)
Introduce diverse techniques
Closing: Ensembling CRSs & Remarks
Demonstrate how combining all of them leads to more effective bug finding and patching
Run the basic CRSs with different models
Wrap up the session