BugHog: Automated Browser Bug Bisection On Steroids

Identifying the exact commits where bugs are introduced or regressed in web browsers is often a tedious and time-consuming task. As a result, mapping the full lifecycle of a newly reported bug rarely becomes part of the standard bug-fixing process, even though doing so can reveal valuable insights and support more effective fixes. With BugHog, we developed an automated bisection tool on steriods, simplifying the hunt for buggy commits.

BugHog runs: - dynamic test cases against historical browser builds - in isolated Docker containers - guided by an adaptive binary search algorithm - across more than a decade of browser development history.

Originally developed for browser security research, BugHog has already demonstrated its value by reconstructing the lifecycle of publicly disclosed Content Security Policy bugs in Chromium and Firefox. This gave new perspectives on how security bugs evolve over time, exposed ineffective fixes, and even uncovered prematurely disclosed vulnerabilities.

In this talk, I will demonstrate how BugHog works, share lessons from large-scale browser analyses, and highlight how it can help both researchers and developers accelerate their bug investigations.