OSS-CRS Tutorial A: Bug-Finding and Patching for the LLM Era
From the first-place team at AIxCC (AI Cyber Challenge)

Join our SVCC 2026 tutorial to uncover real attack vectors, defense strategies, and hands-on insights led by the first-place team from Georgia Institute of Technology at DARPA’s AI Cyber Challenge (AIxCC). Here is news coverage of the winning team from Atlanta.

​

Tutorial for Bug-Finding and Patching for the LLM Era

​

When: June 12, 2026 from 10 a.m. to 4 p.m., excluding lunchtime.

​

​

Tutorial Leader: Dr. Taesoo Kim, Professor, Georgia Institute of Technology​

​Speakers: Andrew Chin (Ph.D) and Brian Lee (Ph.D)

Short Bio: Andrew and Brian are are Ph.D. students in the Systems Software and Security Lab at the Georgia Institute of Technology, advised by Prof. Taesoo Kim. Andrew is a core member of Team Atlanta, a multi-organizational collaboration that took first place in the DARPA AI Cyber Challenge (AIxCC). Building on the work from AIxCC, Andrew is leading a Team Atlanta effort — in partnership with the Open Source Security Foundation (OpenSSF) — to give back to the community by developing a unified framework and standard to advance the future of Cyber Reasoning System development. Brian's goal is to develop efficient bug-finding frameworks and automated vulnerability management systems, particularly for the open-source community, ultimately contributing to global security as a whole.

​

Here is the detailed agenda. This tutorial provides lab components, including hands-on exercises and demos.

• Introduction to OSS-CRS: Overview, Goals, and Features

• Lab Environment Setup

  • Participants are expected to bring their own machines with Vagrant (https://developer.hashicorp.com/vagrant/install) installed. We will prepare and provide a Linux VM image.

• Introduction to Fuzzing (Lab 1)

  • Have hands-on experience running a fuzzer and watching it produce a crash

  • Give participants a project (or group of projects) that contains a bug discoverable by fuzzing

  • Provide an explanation of the bug and its root cause, helping participants understand the issue

• Security Patching: Demonstrate automated security patching (Lab 2)

  • Run a basic patching CRS and study the produced patch

  • Demonstrate that the patch fixes the security vulnerability found by the fuzzer

• Limitations of Traditional Fuzzing (Lab 3)

  • Demonstrate the limitations of the basic fuzzer

  • Give participants another project (or group of projects) that contains bugs that are hard to find via fuzzing

• Lunch Break

• CRS: Creating/Enhancing a CRS (Lab 4)

  • Provide hands-on experience with CRS development

  • Emphasize the functions and components in CRS that help overcome the limits of fuzzers

• Prompt engineering for an existing agentic CRS (Lab 4.1)

• Overriding the compiler pass for bug finding (Lab 4.2)

• Using static analysis to enhance agents (Lab 4.3)

• Including additional tools that agents can utilize for deeper analysis (Lab 4.4)

• Enhancing results through collaboration among agents (Lab 4.5)

• Introduce diverse techniques

• Closing: Ensembling CRSs & Remarks

  • Demonstrate how combining all of them leads to more effective bug finding and patching

  • Run the basic CRSs with different models

  • Wrap up the session

​​

​

​​