[zeromq-dev] Free security help from Google and Open Source Technology Improvement Fund, Inc

Luca Boccassi luca.boccassi at gmail.com
Wed Nov 16 00:57:05 CET 2022


Sounds great, thank you - most of us are in the european timezones, let us
know when you have a date/time in mind

On Tue, 15 Nov 2022 at 18:02, Amir Montazery <amir at ostif.org> wrote:

> Thank you to everyone who has helped so far! What we can concretely offer
> is below under "What you can expect". We totally understand you maintainers
> are busy so the process is designed to be easy for those who participate.
> We also have a budget to compensate maintainers who help out directly (that
> can go to a nonprofit of the project's choice as well).
>
> Our first team of security experts is ready to meet the week of December
> 5th if you'd like to participate.
>
> p.s The OSTIF team plans to be in Brussels for fosdem so we hope to see
> some of you there!
>
> Thank you and let me know who would like to participate.
>
> - Amir
>
>
> What you can expect
>
> Here are what we’re going to do (and need your help with) in a nutshell:
>
>    -
>
>    We’ll Perform an Initial Assessment
>    -
>
>       Meet with you to better understand and ask questions about your
>       package – its architecture, design choices, known issues, and so on
>       -
>
>       Install Scorecard <https://github.com/ossf/scorecard#overview> if
>       you don’t already have it – this evaluates your environment against a set
>       of SDLC best practices (see https://securityscorecards.dev/ for
>       more info) – and identify opportunities to improve low-scoring checks
>       -
>
>       Perform a quick code review, get your package to build, check for
>       quality and best practices
>       -
>
>       Assess whether your package would benefit from fuzzing and is
>       compatible with our OSS-Fuzz <https://google.github.io/oss-fuzz/>
>       offering.
>       -
>
>       Assess whether your package would benefit from SLSA
>       <https://slsa.dev/> and/or SBOM
>       <https://security.googleblog.com/2022/06/sbom-in-action-finding-vulnerabilities.html>,
>       software supply chain integrity (SSCI) technologies (for example, do your
>       users commonly build from source or consume binaries that you build?)
>       -
>
>    If Warranted, We’ll Proceed with an In-Depth Review
>    -
>
>       Perform an targeted code review on your package to identify
>       security vulnerabilities or recommended defense-in-depth fixes
>       -
>
>       If applicable, integrate your package with the OSS Fuzz offering
>       and tune it to achieve maximum coverage.
>       -
>
>       Improve eligible Scorecard check scores
>       -
>
>       Assist you with deploying SLSA and SBOM
>
> Here’s what we’ll ask you to do:
>
>    -
>
>    During the Initial Assessment
>    -
>
>       Meet with us and our partners in a “kick-off” meeting where we’ll
>       ask you a number of questions about your package and how it works to build
>       a shared threat model and scope the review
>       -
>
>    During Our In-Depth Review
>    -
>
>       Assist us with onboarding your package to OSS-Fuzz if applicable,
>       and you’ll be compensated for doing so
>       -
>
>       Assist us with improving the Scorecard checks we recommend, and
>       you’ll be compensated for each
>       -
>
>       Assist us with implementing SLSA and SBOM, if applicable, and
>       you’ll be compensated for doing so
>       -
>
>    After our In-Depth Review
>    -
>
>       Review the security vulnerabilities we find (if any) and our
>       recommended defense-in-depth fixes (if any), and remediate each
>       vulnerability within a reasonable timeframe (we’ll work this out with you
>       when the time comes), and you’ll be compensated for each
>       -
>
>       If applicable, produce a new build that includes all of the
>       improvements made during this process
>
>
>
>
>
>
> On Mon, Oct 31, 2022 at 11:08 AM Amir Montazery <amir at ostif.org> wrote:
>
>> Awesome! Thank you for that Luca. Apologies for the lag, I was in Detroit
>> last week for KubeCon meeting a number of projects we've done security
>> engagements with and collecting feedback.
>>
>> I hope we can sync soon and discuss opportunities to help out with
>> zeromq! Our org OSTIF (https://ostif.org/) has been advocating for
>> providing free help to open source projects for almost 8 years now. We
>> finally have some resources on our bench to help projects out with their
>> security needs. I am finalizing what exactly that would look like in the
>> next week!
>>
>> I'll have updates and resources for you soon. In the meantime feel free
>> to reach out with any questions or feedback.
>>
>> Thank you,
>> Amir
>>
>> On Wed, Oct 19, 2022 at 1:39 PM Luca Boccassi <luca.boccassi at gmail.com>
>> wrote:
>>
>>> Thanks, existing fuzzers are the *_fuzzer.cpp files at:
>>> https://github.com/zeromq/libzmq/tree/master/tests
>>>
>>> On Wed, 19 Oct 2022 at 16:04, Amir Montazery <amir at ostif.org> wrote:
>>>
>>>> Of course, that is understandable. Thank you all for maintaining such
>>>> an important project despite your busy schedules! I hope we can find a way
>>>> to help make your lives easier.
>>>>
>>>> What we can contribute is a security review by an experienced team to
>>>> assess general design review; code quality, defensive programming, and best
>>>> practices, as well as opportunities to improve fuzzing. Additional fuzzers
>>>> can be built and the team can integrate the project to oss-fuzz for
>>>> continuous monitoring of security issues. Based on our experience, when
>>>> security teams have a line of contact with the project maintainers, they
>>>> can be guided and better utilized to help.
>>>>
>>>> I'm fairly certain that we can provide new fuzzers/test cases and will
>>>> get more specific details for you on that.
>>>>
>>>> Thank you!
>>>> Amir
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On Tue, Oct 18, 2022 at 3:26 PM Luca Boccassi <luca.boccassi at gmail.com>
>>>> wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> Thanks for the offer, but let's continue via mail please, we are all
>>>>> very busy as-is.
>>>>>
>>>>> What can you contribute, concretely? I have already set up fuzzing
>>>>> some time ago. Can you provide new fuzzers/test cases? If so that would be
>>>>> great, just send pull requests to the repository.
>>>>>
>>>>> On Wed, 12 Oct 2022 at 13:10, Amir Montazery <amir at ostif.org> wrote:
>>>>>
>>>>>> We can help with whatever the project needs. The intention is to
>>>>>> connect the project maintainer(s)/contributor(s) with our security team
>>>>>> (made up of security experts and Google Open Source Security engineers) to
>>>>>> help where the project needs it most. We can help with bug fixes, security
>>>>>> tooling i.e fuzzing and developing fuzzers for the project, CI/CD, and
>>>>>> anything else that will help zeromq be more secure!
>>>>>>
>>>>>> Thankfully we have resources to help and are able to compensate
>>>>>> maintainer(s) who participate in the engagement to show our gratitude for
>>>>>> your time and efforts.
>>>>>>
>>>>>> I'd be happy to set up a quick introductory call with anyone
>>>>>> interested in learning more.
>>>>>>
>>>>>> Thank you and have a great day!
>>>>>> Amir
>>>>>>
>>>>>> On Tue, Oct 11, 2022 at 10:05 PM Luca Boccassi <
>>>>>> luca.boccassi at gmail.com> wrote:
>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>> What kind of support are you able to provide?
>>>>>>>
>>>>>>> On Tue, 11 Oct 2022 at 14:30, Amir Montazery <amir at ostif.org> wrote:
>>>>>>>
>>>>>>>> Yes, I meant zeromq. Thank you Arnaud! That is my mistake.
>>>>>>>>
>>>>>>>> That’s great news, we have teams ready to help. Would you be a good
>>>>>>>> person to coordinate that with? If anyone else comes to mind to include
>>>>>>>> please let me know!
>>>>>>>>
>>>>>>>> I would be happy to set up a quick call to meet and discuss how we
>>>>>>>> can best be of service to the zeromq project.
>>>>>>>>
>>>>>>>> Thank you,
>>>>>>>> Amir
>>>>>>>>
>>>>>>>> On Tue, Oct 11, 2022 at 1:22 PM Arnaud Loonstra <arnaud at sphaero.org>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>>> Are you sure you are on the right list? This the zeromq list not
>>>>>>>>> dnsmasq.
>>>>>>>>>
>>>>>>>>> We'd appreciate any help for sure!
>>>>>>>>>
>>>>>>>>> Rg,
>>>>>>>>>
>>>>>>>>> Arnaud
>>>>>>>>>
>>>>>>>>> On 07-10-2022 21:46, Amir Montazery wrote:
>>>>>>>>> > Hello dnsmasq community! OSTIF would like to help improve your
>>>>>>>>> security
>>>>>>>>> > posture!
>>>>>>>>> >
>>>>>>>>> > I’m Amir from Open Source Technology Improvement Fund, Inc.
>>>>>>>>> OSTIF
>>>>>>>>> > <https://ostif.org/> is a nonprofit solely dedicated to helping
>>>>>>>>> open
>>>>>>>>> > source projects improve their security for free.
>>>>>>>>> >
>>>>>>>>> > We are working with a team of Google engineers and security
>>>>>>>>> experts to
>>>>>>>>> > help important open source projects like dnsmasq. This includes
>>>>>>>>> helping
>>>>>>>>> > improve testing, reviewing code, implementing more security
>>>>>>>>> tools, and
>>>>>>>>> > improving supply chain security.
>>>>>>>>> >
>>>>>>>>> > Additionally, we understand the time constraints that open
>>>>>>>>> source
>>>>>>>>> > contributors have, and would like to compensate contributors for
>>>>>>>>> their
>>>>>>>>> > time working with us.
>>>>>>>>> >
>>>>>>>>> > We would love to work with you! Please let me know who we should
>>>>>>>>> be
>>>>>>>>> > talking to and how we can help!
>>>>>>>>> >
>>>>>>>>> > Thank you in advance for your consideration!
>>>>>>>>> >
>>>>>>>>> > Best,
>>>>>>>>> >
>>>>>>>>> > Amir
>>>>>>>>> >
>>>>>>>>> >
>>>>>>>>> > --
>>>>>>>>> > *Amir Montazery*
>>>>>>>>> > Managing Director
>>>>>>>>> > Open Source Technology Improvement Fund
>>>>>>>>> > https://ostif.org/ <https://ostif.org/>
>>>>>>>>> > https://calendly.com/ostif <https://calendly.com/ostif>
>>>>>>>>> >
>>>>>>>>> >
>>>>>>>>> > _______________________________________________
>>>>>>>>> > zeromq-dev mailing list
>>>>>>>>> > zeromq-dev at lists.zeromq.org
>>>>>>>>> > https://lists.zeromq.org/mailman/listinfo/zeromq-dev
>>>>>>>>> _______________________________________________
>>>>>>>>> zeromq-dev mailing list
>>>>>>>>> zeromq-dev at lists.zeromq.org
>>>>>>>>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev
>>>>>>>>>
>>>>>>>> --
>>>>>>>> *Amir Montazery*
>>>>>>>> Managing Director
>>>>>>>> Open Source Technology Improvement Fund
>>>>>>>> https://ostif.org/
>>>>>>>> https://calendly.com/ostif
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> zeromq-dev mailing list
>>>>>>>> zeromq-dev at lists.zeromq.org
>>>>>>>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev
>>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> zeromq-dev mailing list
>>>>>>> zeromq-dev at lists.zeromq.org
>>>>>>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev
>>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> *Amir Montazery*
>>>>>> Managing Director
>>>>>> Open Source Technology Improvement Fund
>>>>>> https://ostif.org/
>>>>>> https://calendly.com/ostif
>>>>>>
>>>>>> _______________________________________________
>>>>>> zeromq-dev mailing list
>>>>>> zeromq-dev at lists.zeromq.org
>>>>>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev
>>>>>>
>>>>> _______________________________________________
>>>>> zeromq-dev mailing list
>>>>> zeromq-dev at lists.zeromq.org
>>>>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev
>>>>>
>>>>
>>>>
>>>> --
>>>> *Amir Montazery*
>>>> Managing Director
>>>> Open Source Technology Improvement Fund
>>>> https://ostif.org/
>>>> https://calendly.com/ostif
>>>>
>>>> _______________________________________________
>>>> zeromq-dev mailing list
>>>> zeromq-dev at lists.zeromq.org
>>>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev
>>>>
>>> _______________________________________________
>>> zeromq-dev mailing list
>>> zeromq-dev at lists.zeromq.org
>>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev
>>>
>>
>>
>> --
>> *Amir Montazery*
>> Managing Director
>> Open Source Technology Improvement Fund
>> https://ostif.org/
>> https://calendly.com/ostif
>>
>>
>
> --
> *Amir Montazery*
> Managing Director
> Open Source Technology Improvement Fund
> https://ostif.org/
> https://calendly.com/ostif
>
> _______________________________________________
> zeromq-dev mailing list
> zeromq-dev at lists.zeromq.org
> https://lists.zeromq.org/mailman/listinfo/zeromq-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.zeromq.org/pipermail/zeromq-dev/attachments/20221115/7ffe62b1/attachment.htm>


More information about the zeromq-dev mailing list