Fuzzit started in early 2019 by myself as a spin-off project from my consulting company. The consulting revenue gave me the opportunity to dedicate time and explore the fuzzing-as-a-service idea a bit more without taking VC money too early and becoming “locked-in”.
After about 6 months, Fuzzit started gaining traction and becoming a leader in the open-source community. Being the first commercial product to offer languages such as: Go, Rust and more, while at the time OSS-Fuzz only supported C/C++ and wasn’t available for all oss projects.
After about 8 months once the product matured thanks to input from the open-source users, we went exploring the enterprise market more deeply. We developed that in 3 main directions:
- Enterprise clients interviews and PoCs,
- Partnerships with various CI providers to expand the reach.
- Enterprise focused VCs
In that process we were lucky to meet with GitLab, where after a few calls it became apparent this could be a great fit for both sides to pursue an acquisition (I’ll expand on that later on here).
At that point in time, we had to decide if we were either moving forward with an acquisition or going to raise funding to try and build a large business. In our process of exploring the fuzzing enterprise market, we understood that if we want to build a big DevSecOps company we would need to expand the offering far beyond continuous coverage-fuzzing. This is of-course possible but will create even more fragmentation in the already fragmented market, and will require a substantial amount of financial investment. The opportunity to join a unique place like GitLab for me personally and the amazing technological fit for Fuzzit to be supported natively in a complete DevSecOps platform, made the decision easy for me.
Being part of a few acquisitions (some successful and some not) I can say first hand that the acquisition process is always a complex one, where only few acquisitions close in the end and many fall in various stages of the process. The acquisition process was very transparent and efficient, as documented in the handbook.
Completely by chance the head of corp dev, Eliran Mesika, is an Israeli which made things very easy for me personally as I could speak and negotiate in my mother tongue. GitLab grew in the last two years to over 1200 people, doubling the team, so understanding the structure and driving the process are not easy feats. The process was very transparent even with some unexpected delays/bumps on the way.
During the acquisition process I had the chance to meet quite a few people from the Secure team where we discussed the technology, how the integration will look like and make sure it’s a good fit for everyone both in terms of technology and culture. After term-sheet was signed, it was mainly legal-work and once that was complete I joined GitLab!
My vision at Fuzzit was to advance continuous coverage-guided fuzzing adoption to make software more secure. I’m only 5 months in but I feel that this vision fits perfectly at GitLab with its shift-left strategy and single DevSecOps application. I believe native support for continuous coverage-guided fuzzing in GitLab will lower the barrier to entry for developers, increase adoption and will make software more secure. I still have a lot of work and learning to do at Gitlab to achieve the above but so far we have made great progress. . It has been an awesome experience for me and hopefully for everyone else here who was involved!
You can checkout the current state and documentation of coverage-guided fuzzing in GitLab here
Stay tuned for future fuzzing features and blogs!