A Qualitative Analysis of Fuzzer Usability and Challenges

Yunze Zhao; Wentao Guo; Harrison Goldstein; Daniel Votipka; Kelsey R. Fulton; Michelle L. Mazurek

doi:10.1145/3719027.3765055

A Qualitative Analysis of Fuzzer Usability and Challenges

Yunze Zhao
, Wentao Guo
, Harrison Goldstein
, Daniel Votipka
, Kelsey R. Fulton
, Michelle L. Mazurek

Department of Computer Science and Engineering

University of Maryland, College Park
Tufts University
Colorado School of Mines

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

Abstract

Fuzzing is a widely adopted technique for uncovering software vulnerabilities by generating random or mutated test inputs to trigger unexpected behavior. However, little is known about how developers actually use fuzzing tools in practice, the challenges they face, and where current tools fall short. This study investigates the human side of fuzzing via 18 semi-structured interviews with fuzzing users across diverse domains. These interviews explore participants' workflows, frustrations, and expectations around fuzzing, revealing critical usability gaps and design opportunities. Our results can inform the next generation of fuzzing tools to improve user experience, reduce manual effort, and enable more effective integration of fuzzing into real-world workflows.

Original language	English
Title of host publication	CCS 2025 - Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security
Publisher	Association for Computing Machinery, Inc
Pages	2504-2518
Number of pages	15
ISBN (Electronic)	9798400715259
DOIs	https://doi.org/10.1145/3719027.3765055
State	Published - Nov 22 2025
Event	32nd ACM SIGSAC Conference on Computer and Communications Security, CCS 2025 - Taipei, Taiwan, Province of China Duration: Oct 13 2025 → Oct 17 2025

Publication series

Name	CCS 2025 - Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security

Conference

Conference	32nd ACM SIGSAC Conference on Computer and Communications Security, CCS 2025
Country/Territory	Taiwan, Province of China
City	Taipei
Period	10/13/25 → 10/17/25

Keywords

Dynamic Testing
Fuzzing
Usability
Usable Security

Access to Document

10.1145/3719027.3765055

Cite this

Zhao, Y., Guo, W., Goldstein, H., Votipka, D., Fulton, K. R., & Mazurek, M. L. (2025). A Qualitative Analysis of Fuzzer Usability and Challenges. In CCS 2025 - Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security (pp. 2504-2518). (CCS 2025 - Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security). Association for Computing Machinery, Inc. https://doi.org/10.1145/3719027.3765055

Zhao, Yunze ; Guo, Wentao ; Goldstein, Harrison et al. / A Qualitative Analysis of Fuzzer Usability and Challenges. CCS 2025 - Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security. Association for Computing Machinery, Inc, 2025. pp. 2504-2518 (CCS 2025 - Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security).

@inproceedings{3f7b9dcb09a54644a2fa3c6605f28518,

title = "A Qualitative Analysis of Fuzzer Usability and Challenges",

abstract = "Fuzzing is a widely adopted technique for uncovering software vulnerabilities by generating random or mutated test inputs to trigger unexpected behavior. However, little is known about how developers actually use fuzzing tools in practice, the challenges they face, and where current tools fall short. This study investigates the human side of fuzzing via 18 semi-structured interviews with fuzzing users across diverse domains. These interviews explore participants' workflows, frustrations, and expectations around fuzzing, revealing critical usability gaps and design opportunities. Our results can inform the next generation of fuzzing tools to improve user experience, reduce manual effort, and enable more effective integration of fuzzing into real-world workflows.",

keywords = "Dynamic Testing, Fuzzing, Usability, Usable Security",

author = "Yunze Zhao and Wentao Guo and Harrison Goldstein and Daniel Votipka and Fulton, \{Kelsey R.\} and Mazurek, \{Michelle L.\}",

note = "Publisher Copyright: {\textcopyright} 2025 Copyright held by the owner/author(s).; 32nd ACM SIGSAC Conference on Computer and Communications Security, CCS 2025 ; Conference date: 13-10-2025 Through 17-10-2025",

year = "2025",

month = nov,

day = "22",

doi = "10.1145/3719027.3765055",

language = "English",

series = "CCS 2025 - Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security",

publisher = "Association for Computing Machinery, Inc",

pages = "2504--2518",

booktitle = "CCS 2025 - Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security",

}

Zhao, Y, Guo, W, Goldstein, H, Votipka, D, Fulton, KR & Mazurek, ML 2025, A Qualitative Analysis of Fuzzer Usability and Challenges. in CCS 2025 - Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security. CCS 2025 - Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security, Association for Computing Machinery, Inc, pp. 2504-2518, 32nd ACM SIGSAC Conference on Computer and Communications Security, CCS 2025, Taipei, Taiwan, Province of China, 10/13/25. https://doi.org/10.1145/3719027.3765055

A Qualitative Analysis of Fuzzer Usability and Challenges. / Zhao, Yunze; Guo, Wentao; Goldstein, Harrison et al.
CCS 2025 - Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security. Association for Computing Machinery, Inc, 2025. p. 2504-2518 (CCS 2025 - Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - A Qualitative Analysis of Fuzzer Usability and Challenges

AU - Zhao, Yunze

AU - Guo, Wentao

AU - Goldstein, Harrison

AU - Votipka, Daniel

AU - Fulton, Kelsey R.

AU - Mazurek, Michelle L.

PY - 2025/11/22

Y1 - 2025/11/22

N2 - Fuzzing is a widely adopted technique for uncovering software vulnerabilities by generating random or mutated test inputs to trigger unexpected behavior. However, little is known about how developers actually use fuzzing tools in practice, the challenges they face, and where current tools fall short. This study investigates the human side of fuzzing via 18 semi-structured interviews with fuzzing users across diverse domains. These interviews explore participants' workflows, frustrations, and expectations around fuzzing, revealing critical usability gaps and design opportunities. Our results can inform the next generation of fuzzing tools to improve user experience, reduce manual effort, and enable more effective integration of fuzzing into real-world workflows.

AB - Fuzzing is a widely adopted technique for uncovering software vulnerabilities by generating random or mutated test inputs to trigger unexpected behavior. However, little is known about how developers actually use fuzzing tools in practice, the challenges they face, and where current tools fall short. This study investigates the human side of fuzzing via 18 semi-structured interviews with fuzzing users across diverse domains. These interviews explore participants' workflows, frustrations, and expectations around fuzzing, revealing critical usability gaps and design opportunities. Our results can inform the next generation of fuzzing tools to improve user experience, reduce manual effort, and enable more effective integration of fuzzing into real-world workflows.

KW - Dynamic Testing

KW - Fuzzing

KW - Usability

KW - Usable Security

UR - https://www.scopus.com/pages/publications/105023835810

U2 - 10.1145/3719027.3765055

DO - 10.1145/3719027.3765055

M3 - Conference contribution

AN - SCOPUS:105023835810

T3 - CCS 2025 - Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security

SP - 2504

EP - 2518

BT - CCS 2025 - Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security

PB - Association for Computing Machinery, Inc

T2 - 32nd ACM SIGSAC Conference on Computer and Communications Security, CCS 2025

Y2 - 13 October 2025 through 17 October 2025

ER -

Zhao Y, Guo W, Goldstein H, Votipka D, Fulton KR, Mazurek ML. A Qualitative Analysis of Fuzzer Usability and Challenges. In CCS 2025 - Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security. Association for Computing Machinery, Inc. 2025. p. 2504-2518. (CCS 2025 - Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security). doi: 10.1145/3719027.3765055

A Qualitative Analysis of Fuzzer Usability and Challenges

Abstract

Publication series

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Cite this