I've publicly discussed a bit about my process when researching the Chrome sandbox last year. In this talk I follow up with more details about my process and how to make quick progress with fuzzing.
Over the past couple years, I've practiced bug hunting intensely, with the goal of finding interesting and useful bugs with a process that's as repeatable as possible. Fortunately this has worked quite well on numerous targets ranging from 3DS (1 bug chain to security coprocessor) and Chrome (1 bug to escape sandbox). Now that I'm working on XNU, this process appears just as effective despite the massive differences between a browser and a kernel.
In this talk, I will discuss my codebase-agnostic process for fuzzing that helped me grow my skillset beyond pure auditing. If you generally prefer auditing and are thinking of incorporating fuzzing into your workflow, this is the talk for you.
3DS/Chrome/XNU bug hunter