> An open-source alternative of Microsoft's SAGE/Springfield would be cool

We're working on one (!) and I hope we can offer it for free to non-commercial projects. For now, there is Microsoft Springfield [1] for Windows software and Google OSS-Fuzz [2] for open-source software. It is extraordinarily hard to not only get the tech for something like that working but bring it to market.

As noted in the video, nearly all the individual pieces of our CRS are open-source but you actually do not want a "CRS." The competition DARPA designed for them involved more than what is necessary to provide value to a development team, e.g., you don't want something that writes IDS signatures, considers "gameplay" or resource contention, or attempts to write automatic patches. You want something that accurately finds and reproduces bugs. We open-sourced the tools we wrote to do that or used tools that were already open-source, like Grr, Manticore, Radamsa, KLEE, and Z3.

[1] https://www.microsoft.com/en-us/springfield/

[2] https://github.com/google/oss-fuzz

> We're working on one (!) and I hope we can offer it for free to non-commercial projects.

That's good to hear. Hope you can find a way to monetize it for commercial projects.

Getting the tech right certainly seems to be a hard problem with Google's Konstantin Serebryany calling the symbolic execution route a rocket science. In my view the problem is coming up with a solid solution instead of just heuristics (as with all multi-approach methods: when to switch modes?) and making sure the tech is usable to test arbitrary complex pieces of software.