Which companies or organizations use fuzzing? Are they finding zero days?
Hi Paul, welcome! Businesses in almost every vertical have incorporated fuzzing into their standard security practice. However, the zero-day vulnerabilities that you hear about, the ones that make the headlines, are usually not from companies that regularly employ fuzz testing and other security practices. These are issues that have slipped through the cracks to make a major impact on the software ecosystem at large. If an organization, vendor or independent researcher discovers a zero-day vulnerability in a piece of third-party software, these are typically responsibly disclosed. If an organization employs fuzz testing early and discovers a zero-day vulnerabilities on their own, unreleased proprietary software, you will likely never hear about it (which is a good thing!).