PandaFuzz provides a RESTful API for fuzzing orchestration. All endpoints follow standard HTTP conventions and return JSON responses.
POST /api/bots/register- Register a new bot with capabilitiesGET /api/jobs- List all jobs with filteringPOST /api/jobs- Create a new fuzzing job with strategyGET /api/crashes/{job_id}- Get crashes for a job with deduplication
POST /api/mutators- Upload custom mutatorPOST /api/grammars- Upload grammar definitionGET /api/corpus/seeds- Get prioritized corpus seedsPOST /api/leaks- Report memory leaksGET /api/strategies- List available fuzzing strategies
POST /api/v1/bots/register # Bot registration with timeout
DELETE /api/v1/bots/{id} # Bot deregistration
POST /api/v1/bots/{id}/heartbeat # Bot heartbeat with status
GET /api/v1/bots/{id}/job # Atomic job assignment
POST /api/v1/bots/{id}/job/complete # Job completion notification
POST /api/v1/results/crash # Report crash with metadata
POST /api/v1/results/coverage # Report coverage data
POST /api/v1/results/corpus # Report corpus updates
POST /api/v1/results/status # Report job status updates
POST /api/v1/jobs # Create fuzzing job
GET /api/v1/jobs # List jobs (paginated)
GET /api/v1/jobs/{id} # Get job details
PUT /api/v1/jobs/{id}/cancel # Cancel job
GET /api/v1/jobs/{id}/logs # Get job logs
GET /api/v1/status # System health check
GET /api/v1/metrics # Basic metrics
GET /api/v1/bots # List active bots
All endpoints include:
- Request timeout: 30s
- Bot operation timeout: 5m
- Job execution timeout: configurable (default: 1h)
- Master restart recovery: automatic
- Atomic operations for state changes
{
"success": true,
"data": { ... },
"timestamp": "2024-01-20T12:00:00Z"
}{
"success": false,
"error": {
"code": "RESOURCE_NOT_FOUND",
"message": "Job not found",
"details": { ... }
},
"timestamp": "2024-01-20T12:00:00Z"
}PandaFuzz operates behind a VPN and does not require additional authentication. All requests are trusted within the VPN environment.
No rate limiting is enforced as the system operates in a trusted environment.