Propose recommendation around fuzzing

[codeboten]

The CNCF has asked for a fuzzing audit of OpenTelemetry possibly using https://github.com/google/oss-fuzz. This issue is to capture the recommendation around fuzzing for the various SIGs in OTel

[codeboten]

Links to CNCF PR material about fuzzing CNCF projects:

• https://contribute.cncf.io/resources/project-services/audits/
• https://www.cncf.io/blog/2023/04/18/cncf-fuzzing-open-source-projects-for-security-and-reliability/
• https://www.cncf.io/blog/2023/11/07/cncf-fuzzing-updates-2023/

Previous fuzzing audits:

• https://www.cncf.io/blog/2023/09/12/kyverno-completes-fuzzing-security-audit/
• https://www.cncf.io/blog/2023/03/02/containerd-completes-fuzzing-audit/
• https://www.cncf.io/blog/2023/06/30/dapr-completes-fuzzing-audit/
• https://www.cncf.io/blog/2023/03/24/crossplane-completes-fuzzing-security-audit/
• https://www.cncf.io/blog/2023/03/31/helm-completes-fuzzing-security-audit/

[jpkrohling]

This is what we discussed during the SIG meeting:

• The SIG Security is not ready to turn this into a recommendation, but believes there's value in having a practical experience with it
• We believe that the Collector would be a good fit for this, with a small number of components initially. Namely, OTLP receiver and exporter.
• We'll capture the learnings and see if we can scale this to other SIGs