You cannot test for what you never described. I woke up and saw a wall of emails in my personal account. Then logged into my corporate Slack, and it was filled with Zendesk messages from customers. Everyone was looking for me. The library I wrote, jsonparser , which got used by a lot of projects, got its very own public CVE. So everyone started freaking out looking at their scanners. "That's what the fame is," was my first thought. Now I remember some notifications I kept ignoring from the Google OSS Fuzz project, I signed up multiple years ago. This lib was written in the pre-AI-agents era (so weird to say that now!). Every piece was handcrafted manually, using best practices, with full test coverage. I checked the function which had the issue, and it literally had near 100% test coverage. But it did not matter, because the issue was in handling of malformed input data. One of the edge cases which was missed.…