[zeromq-dev] Free security help from Google and Open Source Technology Improvement Fund, Inc

Luca Boccassi luca.boccassi at gmail.com
Wed Nov 16 20:12:37 CET 2022


For myself, before 4pm or after 7.30pm (UTC) both days

On Wed, 16 Nov 2022 at 18:47, Amir Montazery <amir at ostif.org> wrote:

> Thank you! Many of us are in european timezones as well (I myself am based
> in Chicago, USA). Is there a time that works best on Monday, December 5th
> or Tuesday, December 6th?
>
> On Tue, Nov 15, 2022 at 5:58 PM Luca Boccassi <luca.boccassi at gmail.com>
> wrote:
>
>> Sounds great, thank you - most of us are in the european timezones, let
>> us know when you have a date/time in mind
>>
>> On Tue, 15 Nov 2022 at 18:02, Amir Montazery <amir at ostif.org> wrote:
>>
>>> Thank you to everyone who has helped so far! What we can concretely
>>> offer is below under "What you can expect". We totally understand you
>>> maintainers are busy so the process is designed to be easy for those who
>>> participate. We also have a budget to compensate maintainers who help out
>>> directly (that can go to a nonprofit of the project's choice as well).
>>>
>>> Our first team of security experts is ready to meet the week of December
>>> 5th if you'd like to participate.
>>>
>>> p.s The OSTIF team plans to be in Brussels for fosdem so we hope to see
>>> some of you there!
>>>
>>> Thank you and let me know who would like to participate.
>>>
>>> - Amir
>>>
>>>
>>> What you can expect
>>>
>>> Here are what we’re going to do (and need your help with) in a nutshell:
>>>
>>>    -
>>>
>>>    We’ll Perform an Initial Assessment
>>>    -
>>>
>>>       Meet with you to better understand and ask questions about your
>>>       package – its architecture, design choices, known issues, and so on
>>>       -
>>>
>>>       Install Scorecard <https://github.com/ossf/scorecard#overview> if
>>>       you don’t already have it – this evaluates your environment against a set
>>>       of SDLC best practices (see https://securityscorecards.dev/ for
>>>       more info) – and identify opportunities to improve low-scoring checks
>>>       -
>>>
>>>       Perform a quick code review, get your package to build, check for
>>>       quality and best practices
>>>       -
>>>
>>>       Assess whether your package would benefit from fuzzing and is
>>>       compatible with our OSS-Fuzz <https://google.github.io/oss-fuzz/>
>>>       offering.
>>>       -
>>>
>>>       Assess whether your package would benefit from SLSA
>>>       <https://slsa.dev/> and/or SBOM
>>>       <https://security.googleblog.com/2022/06/sbom-in-action-finding-vulnerabilities.html>,
>>>       software supply chain integrity (SSCI) technologies (for example, do your
>>>       users commonly build from source or consume binaries that you build?)
>>>       -
>>>
>>>    If Warranted, We’ll Proceed with an In-Depth Review
>>>    -
>>>
>>>       Perform an targeted code review on your package to identify
>>>       security vulnerabilities or recommended defense-in-depth fixes
>>>       -
>>>
>>>       If applicable, integrate your package with the OSS Fuzz offering
>>>       and tune it to achieve maximum coverage.
>>>       -
>>>
>>>       Improve eligible Scorecard check scores
>>>       -
>>>
>>>       Assist you with deploying SLSA and SBOM
>>>
>>> Here’s what we’ll ask you to do:
>>>
>>>    -
>>>
>>>    During the Initial Assessment
>>>    -
>>>
>>>       Meet with us and our partners in a “kick-off” meeting where we’ll
>>>       ask you a number of questions about your package and how it works to build
>>>       a shared threat model and scope the review
>>>       -
>>>
>>>    During Our In-Depth Review
>>>    -
>>>
>>>       Assist us with onboarding your package to OSS-Fuzz if applicable,
>>>       and you’ll be compensated for doing so
>>>       -
>>>
>>>       Assist us with improving the Scorecard checks we recommend, and
>>>       you’ll be compensated for each
>>>       -
>>>
>>>       Assist us with implementing SLSA and SBOM, if applicable, and
>>>       you’ll be compensated for doing so
>>>       -
>>>
>>>    After our In-Depth Review
>>>    -
>>>
>>>       Review the security vulnerabilities we find (if any) and our
>>>       recommended defense-in-depth fixes (if any), and remediate each
>>>       vulnerability within a reasonable timeframe (we’ll work this out with you
>>>       when the time comes), and you’ll be compensated for each
>>>       -
>>>
>>>       If applicable, produce a new build that includes all of the
>>>       improvements made during this process
>>>
>>>
>>>
>>>
>>>
>>>
>>> On Mon, Oct 31, 2022 at 11:08 AM Amir Montazery <amir at ostif.org> wrote:
>>>
>>>> Awesome! Thank you for that Luca. Apologies for the lag, I was in
>>>> Detroit last week for KubeCon meeting a number of projects we've done
>>>> security engagements with and collecting feedback.
>>>>
>>>> I hope we can sync soon and discuss opportunities to help out with
>>>> zeromq! Our org OSTIF (https://ostif.org/) has been advocating for
>>>> providing free help to open source projects for almost 8 years now. We
>>>> finally have some resources on our bench to help projects out with their
>>>> security needs. I am finalizing what exactly that would look like in the
>>>> next week!
>>>>
>>>> I'll have updates and resources for you soon. In the meantime feel free
>>>> to reach out with any questions or feedback.
>>>>
>>>> Thank you,
>>>> Amir
>>>>
>>>> On Wed, Oct 19, 2022 at 1:39 PM Luca Boccassi <luca.boccassi at gmail.com>
>>>> wrote:
>>>>
>>>>> Thanks, existing fuzzers are the *_fuzzer.cpp files at:
>>>>> https://github.com/zeromq/libzmq/tree/master/tests
>>>>>
>>>>> On Wed, 19 Oct 2022 at 16:04, Amir Montazery <amir at ostif.org> wrote:
>>>>>
>>>>>> Of course, that is understandable. Thank you all for maintaining such
>>>>>> an important project despite your busy schedules! I hope we can find a way
>>>>>> to help make your lives easier.
>>>>>>
>>>>>> What we can contribute is a security review by an experienced team to
>>>>>> assess general design review; code quality, defensive programming, and best
>>>>>> practices, as well as opportunities to improve fuzzing. Additional fuzzers
>>>>>> can be built and the team can integrate the project to oss-fuzz for
>>>>>> continuous monitoring of security issues. Based on our experience, when
>>>>>> security teams have a line of contact with the project maintainers, they
>>>>>> can be guided and better utilized to help.
>>>>>>
>>>>>> I'm fairly certain that we can provide new fuzzers/test cases and
>>>>>> will get more specific details for you on that.
>>>>>>
>>>>>> Thank you!
>>>>>> Amir
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Tue, Oct 18, 2022 at 3:26 PM Luca Boccassi <
>>>>>> luca.boccassi at gmail.com> wrote:
>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>> Thanks for the offer, but let's continue via mail please, we are all
>>>>>>> very busy as-is.
>>>>>>>
>>>>>>> What can you contribute, concretely? I have already set up fuzzing
>>>>>>> some time ago. Can you provide new fuzzers/test cases? If so that would be
>>>>>>> great, just send pull requests to the repository.
>>>>>>>
>>>>>>> On Wed, 12 Oct 2022 at 13:10, Amir Montazery <amir at ostif.org> wrote:
>>>>>>>
>>>>>>>> We can help with whatever the project needs. The intention is to
>>>>>>>> connect the project maintainer(s)/contributor(s) with our security team
>>>>>>>> (made up of security experts and Google Open Source Security engineers) to
>>>>>>>> help where the project needs it most. We can help with bug fixes, security
>>>>>>>> tooling i.e fuzzing and developing fuzzers for the project, CI/CD, and
>>>>>>>> anything else that will help zeromq be more secure!
>>>>>>>>
>>>>>>>> Thankfully we have resources to help and are able to compensate
>>>>>>>> maintainer(s) who participate in the engagement to show our gratitude for
>>>>>>>> your time and efforts.
>>>>>>>>
>>>>>>>> I'd be happy to set up a quick introductory call with anyone
>>>>>>>> interested in learning more.
>>>>>>>>
>>>>>>>> Thank you and have a great day!
>>>>>>>> Amir
>>>>>>>>
>>>>>>>> On Tue, Oct 11, 2022 at 10:05 PM Luca Boccassi <
>>>>>>>> luca.boccassi at gmail.com> wrote:
>>>>>>>>
>>>>>>>>> Hi,
>>>>>>>>>
>>>>>>>>> What kind of support are you able to provide?
>>>>>>>>>
>>>>>>>>> On Tue, 11 Oct 2022 at 14:30, Amir Montazery <amir at ostif.org>
>>>>>>>>> wrote:
>>>>>>>>>
>>>>>>>>>> Yes, I meant zeromq. Thank you Arnaud! That is my mistake.
>>>>>>>>>>
>>>>>>>>>> That’s great news, we have teams ready to help. Would you be a
>>>>>>>>>> good person to coordinate that with? If anyone else comes to mind to
>>>>>>>>>> include please let me know!
>>>>>>>>>>
>>>>>>>>>> I would be happy to set up a quick call to meet and discuss how
>>>>>>>>>> we can best be of service to the zeromq project.
>>>>>>>>>>
>>>>>>>>>> Thank you,
>>>>>>>>>> Amir
>>>>>>>>>>
>>>>>>>>>> On Tue, Oct 11, 2022 at 1:22 PM Arnaud Loonstra <
>>>>>>>>>> arnaud at sphaero.org> wrote:
>>>>>>>>>>
>>>>>>>>>>> Are you sure you are on the right list? This the zeromq list not
>>>>>>>>>>> dnsmasq.
>>>>>>>>>>>
>>>>>>>>>>> We'd appreciate any help for sure!
>>>>>>>>>>>
>>>>>>>>>>> Rg,
>>>>>>>>>>>
>>>>>>>>>>> Arnaud
>>>>>>>>>>>
>>>>>>>>>>> On 07-10-2022 21:46, Amir Montazery wrote:
>>>>>>>>>>> > Hello dnsmasq community! OSTIF would like to help improve your
>>>>>>>>>>> security
>>>>>>>>>>> > posture!
>>>>>>>>>>> >
>>>>>>>>>>> > I’m Amir from Open Source Technology Improvement Fund, Inc.
>>>>>>>>>>> OSTIF
>>>>>>>>>>> > <https://ostif.org/> is a nonprofit solely dedicated to
>>>>>>>>>>> helping open
>>>>>>>>>>> > source projects improve their security for free.
>>>>>>>>>>> >
>>>>>>>>>>> > We are working with a team of Google engineers and security
>>>>>>>>>>> experts to
>>>>>>>>>>> > help important open source projects like dnsmasq. This
>>>>>>>>>>> includes helping
>>>>>>>>>>> > improve testing, reviewing code, implementing more security
>>>>>>>>>>> tools, and
>>>>>>>>>>> > improving supply chain security.
>>>>>>>>>>> >
>>>>>>>>>>> > Additionally, we understand the time constraints that open
>>>>>>>>>>> source
>>>>>>>>>>> > contributors have, and would like to compensate contributors
>>>>>>>>>>> for their
>>>>>>>>>>> > time working with us.
>>>>>>>>>>> >
>>>>>>>>>>> > We would love to work with you! Please let me know who we
>>>>>>>>>>> should be
>>>>>>>>>>> > talking to and how we can help!
>>>>>>>>>>> >
>>>>>>>>>>> > Thank you in advance for your consideration!
>>>>>>>>>>> >
>>>>>>>>>>> > Best,
>>>>>>>>>>> >
>>>>>>>>>>> > Amir
>>>>>>>>>>> >
>>>>>>>>>>> >
>>>>>>>>>>> > --
>>>>>>>>>>> > *Amir Montazery*
>>>>>>>>>>> > Managing Director
>>>>>>>>>>> > Open Source Technology Improvement Fund
>>>>>>>>>>> > https://ostif.org/ <https://ostif.org/>
>>>>>>>>>>> > https://calendly.com/ostif <https://calendly.com/ostif>
>>>>>>>>>>> >
>>>>>>>>>>> >
>>>>>>>>>>> > _______________________________________________
>>>>>>>>>>> > zeromq-dev mailing list
>>>>>>>>>>> > zeromq-dev at lists.zeromq.org
>>>>>>>>>>> > https://lists.zeromq.org/mailman/listinfo/zeromq-dev
>>>>>>>>>>> _______________________________________________
>>>>>>>>>>> zeromq-dev mailing list
>>>>>>>>>>> zeromq-dev at lists.zeromq.org
>>>>>>>>>>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev
>>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> *Amir Montazery*
>>>>>>>>>> Managing Director
>>>>>>>>>> Open Source Technology Improvement Fund
>>>>>>>>>> https://ostif.org/
>>>>>>>>>> https://calendly.com/ostif
>>>>>>>>>>
>>>>>>>>>> _______________________________________________
>>>>>>>>>> zeromq-dev mailing list
>>>>>>>>>> zeromq-dev at lists.zeromq.org
>>>>>>>>>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev
>>>>>>>>>>
>>>>>>>>> _______________________________________________
>>>>>>>>> zeromq-dev mailing list
>>>>>>>>> zeromq-dev at lists.zeromq.org
>>>>>>>>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> *Amir Montazery*
>>>>>>>> Managing Director
>>>>>>>> Open Source Technology Improvement Fund
>>>>>>>> https://ostif.org/
>>>>>>>> https://calendly.com/ostif
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> zeromq-dev mailing list
>>>>>>>> zeromq-dev at lists.zeromq.org
>>>>>>>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev
>>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> zeromq-dev mailing list
>>>>>>> zeromq-dev at lists.zeromq.org
>>>>>>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev
>>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> *Amir Montazery*
>>>>>> Managing Director
>>>>>> Open Source Technology Improvement Fund
>>>>>> https://ostif.org/
>>>>>> https://calendly.com/ostif
>>>>>>
>>>>>> _______________________________________________
>>>>>> zeromq-dev mailing list
>>>>>> zeromq-dev at lists.zeromq.org
>>>>>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev
>>>>>>
>>>>> _______________________________________________
>>>>> zeromq-dev mailing list
>>>>> zeromq-dev at lists.zeromq.org
>>>>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev
>>>>>
>>>>
>>>>
>>>> --
>>>> *Amir Montazery*
>>>> Managing Director
>>>> Open Source Technology Improvement Fund
>>>> https://ostif.org/
>>>> https://calendly.com/ostif
>>>>
>>>>
>>>
>>> --
>>> *Amir Montazery*
>>> Managing Director
>>> Open Source Technology Improvement Fund
>>> https://ostif.org/
>>> https://calendly.com/ostif
>>>
>>> _______________________________________________
>>> zeromq-dev mailing list
>>> zeromq-dev at lists.zeromq.org
>>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev
>>>
>> _______________________________________________
>> zeromq-dev mailing list
>> zeromq-dev at lists.zeromq.org
>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev
>>
>
>
> --
> *Amir Montazery*
> Managing Director
> Open Source Technology Improvement Fund
> https://ostif.org/
> https://calendly.com/ostif
>
> _______________________________________________
> zeromq-dev mailing list
> zeromq-dev at lists.zeromq.org
> https://lists.zeromq.org/mailman/listinfo/zeromq-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.zeromq.org/pipermail/zeromq-dev/attachments/20221116/2a630dfb/attachment.htm>


More information about the zeromq-dev mailing list