Traditional fuzzing struggles to effectively cover security-critical deep program states and is often hindered by low-value execution paths, resulting in inefficient vulnerability discovery. This work proposes EyeQ, a novel automated guidance framework that systematically integrates developer security insights from code reviews into the fuzzing process for the first time. By leveraging large language models and program analysis techniques, EyeQ extracts security signals from review discussions, identifies critical code regions, and generates annotations to guide fuzzing. The approach requires no modifications to program semantics or development workflows yet significantly enhances coverage of high-risk paths. Experimental evaluation on PHP’s security-critical codebase uncovered over 40 previously unknown vulnerabilities, demonstrating substantially superior performance compared to standard fuzzing configurations.

Modern fuzzers scale to large, real-world software but often fail to exercise the program states developers consider most fragile or security-critical. Such states are typically deep in the execution space, gated by preconditions, or overshadowed by lower-value paths that consume limited fuzzing budgets. Meanwhile, developers routinely surface risk-relevant insights during code review, yet this information is largely ignored by automated testing tools. We present EyeQ, a system that leverages developer intelligence from code reviews to guide fuzzing. EyeQ extracts security-relevant signals from review discussions, localizes the implicated program regions, and translates these insights into annotation-based guidance for fuzzing. The approach operates atop existing annotation-aware fuzzing, requiring no changes to program semantics or developer workflows. We first validate EyeQ through a human-guided feasibility study on a security-focused dataset of PHP code reviews, establishing a strong baseline for review-guided fuzzing. We then automate the workflow using a large language model with carefully designed prompts. EyeQ significantly improves vulnerability discovery over standard fuzzing configurations, uncovering more than 40 previously unknown bugs in the security-critical PHP codebase.