Hindsight is 20/20, but with a hook on javax.naming.Context#lookup and a generally useful improvement to the Map instrumentation, Jazzer reliably finds #log4j CVE-2021-44228 in ~5 min with a one-line fuzz target: log.error(data.consumeRemainingAsString());

https://github.com/CodeIntelligenceTesting/jazzer/pull/257

I did my research. The paper is already published: https://publications.cispa.saarland/3463/1/roth2021usable.pd...

Crafted input may cause the jsoup HTML and XML parser to get stuck, timeout, or throw unchecked exceptions

Well, it's actually not that easy... :D

Looking for your feedback: It is still possible to submit questions for the panel discussion. Which questions should the speakers address?

A couple of days ago there was also a discussion on a similar topic on HN: https://news.ycombinator.com/item?id=26090139