Q:

We ran the fuzzer right before we released and it found lots of bugs we fixed those but we don't have time to run any more tests is that ok?

A:

Fuzzing tends to find bugs in bunches. The short answer is that if you found many bugs in the first run, you're likely to find many bugs (less, but still quite a few) in subsequent runs once those original flaws are fixed.

Q:

Why should I spend money on a commercial fuzzer when there's many free ones?

A:

Some of the free versions are very intuitive and easy to use some, not so much. The support level of free fuzzers can also vary depending on the responsiveness of the developer. They may not care much if you're shipping your product in three weeks and you need them to fix a bug in their fuzzer. The quality of the free fuzzers also varies significantly. Personally, we recommend evaluating the free versions available, and if it works for your situation, great. If not, consider buying a commercial version or building your own if you have the technical expertise to do so.

Q:

How much time and money should I budget?

A:

Time will depend on several factors. Will you buy, build, or use a free fuzzer? How large is the code base? How much of it is legacy code? Is the software written in managed or unmanaged code? What is the attack surface of the product?