Integrate Buttercup with new targets

[michaelbrownuc]

From the DARPA rules update on 8/4:

3.3 Post-Competition Prizes
DARPA is making available additional prize awards for real-world successes following AFC at
DEF CON 33 for up to 6 months. All seven (7) finalist teams are eligible for the additional prize
money, which is structured as follows:
• Each AIxCC finalist team is eligible for up to $200,000 in additional prizes (20
increments of $10,000 each).
• To qualify for each $10,000 increment of additional prize awards, a finalist team must:
1. Nominate a piece of software (open source or commercial) to integrate their CRS
into.
2. Receive approval from DARPA that this nomination is aligned with the AIxCC
goal to secure U.S. critical infrastructure.
3. Provide DARPA with a letter of support/intent from the software
owner/maintainer indicating approval of their effort to integrate the finalist’s
CRS.
4. Demonstrate to DARPA’s satisfaction that the integrated CRS can find novel
vulnerabilities in and develop patches for the approved software.

• [ ] Identify and nominate 40-50 software packages DARPA will consider CNI and nominate them. Preferably they are already OSS-Fuzz compatible.
• [ ] Get LOIs from maintainers of DARPA-approved programs
• [ ] Run and demonstrate that Buttercup has found a novel vulnerability, or at least has covered the code reachable from the fuzzing harnesses.