Oss-fuzz helps find bugs and security issues and has already done so for many projects.
I already reported thee minor bugs in gnupg thanks to it (more to come)
A gnupg patch is available here
It works with oss-fuzz using this patch
The big question is how fuzz tests should be used without oss-fuzz.
Maybe a non-default configure option could set the C flags appropriately ?