It’s not realistic for ROS2 Crystal as well however worth to be considered for the long time roadmap:
- integration of fuzzy testing in to the CI environment
There is a nice read (blog post of a Security Engineer) about how to integrate public repositories into Google OSS-Fuzz (“continous open source software fuzzying as a service”) and about how to make OSS-Fuzz work for private repositories. Google tries to motivate people to integrate projects into OSS-Fuzz with patch rewards… probably an interesting model to get people like aliasrobotics.com (@EndikaGu) involved into ROS2 security improvement 
. However OSS-Fuzz based Fuzzy Testing addresses low levels of abstraction (source code like rclcpp, rclc, rmw) the priority in comparison to the other point in the list (higher levels of abstraction like features, “security by design”) is quite low. Nevertheless worth to being mention here I guess.