[zeromq-dev] Free security help from Google and Open Source Technology Improvement Fund, Inc
Arnaud Loonstra
arnaud at sphaero.org
Wed Nov 16 20:23:33 CET 2022
Before 4pm UTC suits me as well, both days. I prefer the 6th.
Rg,
Arnaud
On 16-11-2022 20:12, Luca Boccassi wrote:
> For myself, before 4pm or after 7.30pm (UTC) both days
>
> On Wed, 16 Nov 2022 at 18:47, Amir Montazery <amir at ostif.org
> <mailto:amir at ostif.org>> wrote:
>
> Thank you! Many of us are in european timezones as well (I myself am
> based in Chicago, USA). Is there a time that works best on Monday,
> December 5th or Tuesday, December 6th?
>
> On Tue, Nov 15, 2022 at 5:58 PM Luca Boccassi
> <luca.boccassi at gmail.com <mailto:luca.boccassi at gmail.com>> wrote:
>
> Sounds great, thank you - most of us are in the european
> timezones, let us know when you have a date/time in mind
>
> On Tue, 15 Nov 2022 at 18:02, Amir Montazery <amir at ostif.org
> <mailto:amir at ostif.org>> wrote:
>
> Thank you to everyone who has helped so far! What we can
> concretely offer is below under "What you can expect". We
> totally understand you maintainers are busy so the process
> is designed to be easy for those who participate. We also
> have a budget to compensate maintainers who help out
> directly (that can go to a nonprofit of the project's choice
> as well).
>
> Our first team of security experts is ready to meet the week
> of December 5th if you'd like to participate.
>
> p.s The OSTIF team plans to be in Brussels for fosdem so we
> hope to see some of you there!
>
> Thank you and let me know who would like to participate.
>
> - Amir
>
>
> What you can expect
>
> Here are what we’re going to do (and need your help with) in
> a nutshell:
>
> *
>
> We’ll Perform an Initial Assessment
>
> o
>
> Meet with you to better understand and ask questions
> about your package – its architecture, design
> choices, known issues, and so on
>
> o
>
> Install Scorecard
> <https://github.com/ossf/scorecard#overview>if you
> don’t already have it – this evaluates your
> environment against a set of SDLC best practices
> (see https://securityscorecards.dev/
> <https://securityscorecards.dev/>for more info) –
> and identify opportunities to improve low-scoring checks
>
> o
>
> Perform a quick code review, get your package to
> build, check for quality and best practices
>
> o
>
> Assess whether your package would benefit from
> fuzzing and is compatible with our OSS-Fuzz
> <https://google.github.io/oss-fuzz/>offering.
>
> o
>
> Assess whether your package would benefit from SLSA
> <https://slsa.dev/>and/or SBOM
> <https://security.googleblog.com/2022/06/sbom-in-action-finding-vulnerabilities.html>, software supply chain integrity (SSCI) technologies (for example, do your users commonly build from source or consume binaries that you build?)
>
> *
>
> If Warranted, We’ll Proceed with an In-Depth Review
>
> o
>
> Perform an targeted code review on your package to
> identify security vulnerabilities or recommended
> defense-in-depth fixes
>
> o
>
> If applicable, integrate your package with the OSS
> Fuzz offering and tune it to achieve maximum coverage.
>
> o
>
> Improve eligible Scorecard check scores
>
> o
>
> Assist you with deploying SLSA and SBOM
>
> Here’s what we’ll ask you to do:
>
> *
>
> During the Initial Assessment
>
> o
>
> Meet with us and our partners in a “kick-off”
> meeting where we’ll ask you a number of questions
> about your package and how it works to build a
> shared threat model and scope the review
>
> *
>
> During Our In-Depth Review
>
> o
>
> Assist us with onboarding your package to OSS-Fuzz
> if applicable, and you’ll be compensated for doing so
>
> o
>
> Assist us with improving the Scorecard checks we
> recommend, and you’ll be compensated for each
>
> o
>
> Assist us with implementing SLSA and SBOM, if
> applicable, and you’ll be compensated for doing so
>
> *
>
> After our In-Depth Review
>
> o
>
> Review the security vulnerabilities we find (if any)
> and our recommended defense-in-depth fixes (if any),
> and remediate each vulnerability within a reasonable
> timeframe (we’ll work this out with you when the
> time comes), and you’ll be compensated for each
>
> o
>
> If applicable, produce a new build that includes all
> of the improvements made during this process
>
>
>
>
>
>
> On Mon, Oct 31, 2022 at 11:08 AM Amir Montazery
> <amir at ostif.org <mailto:amir at ostif.org>> wrote:
>
> Awesome! Thank you for that Luca. Apologies for the lag,
> I was in Detroit last week for KubeCon meeting a number
> of projects we've done security engagements with and
> collecting feedback.
>
> I hope we can sync soon and discuss opportunities to
> help out with zeromq! Our org OSTIF (https://ostif.org/
> <https://ostif.org/>) has been advocating for providing
> free help to open source projects for almost 8 years
> now. We finally have some resources on our bench to help
> projects out with their security needs. I am finalizing
> what exactly that would look like in the next week!
>
> I'll have updates and resources for you soon. In the
> meantime feel free to reach out with any questions or
> feedback.
>
> Thank you,
> Amir
>
> On Wed, Oct 19, 2022 at 1:39 PM Luca Boccassi
> <luca.boccassi at gmail.com
> <mailto:luca.boccassi at gmail.com>> wrote:
>
> Thanks, existing fuzzers are the *_fuzzer.cpp files
> at:
> https://github.com/zeromq/libzmq/tree/master/tests
> <https://github.com/zeromq/libzmq/tree/master/tests>
>
> On Wed, 19 Oct 2022 at 16:04, Amir Montazery
> <amir at ostif.org <mailto:amir at ostif.org>> wrote:
>
> Of course, that is understandable. Thank you all
> for maintaining such an important project
> despite your busy schedules! I hope we can find
> a way to help make your lives easier.
>
> What we can contribute is a security review by
> an experienced team to assess general design
> review; code quality, defensive programming, and
> best practices, as well as opportunities to
> improve fuzzing. Additional fuzzers can be built
> and the team can integrate the project to
> oss-fuzz for continuous monitoring of security
> issues. Based on our experience, when security
> teams have a line of contact with the project
> maintainers, they can be guided and better
> utilized to help.
>
> I'm fairly certain that we can provide new
> fuzzers/test cases and will get more specific
> details for you on that.
>
> Thank you!
> Amir
>
>
>
>
>
> On Tue, Oct 18, 2022 at 3:26 PM Luca Boccassi
> <luca.boccassi at gmail.com
> <mailto:luca.boccassi at gmail.com>> wrote:
>
> Hi,
>
> Thanks for the offer, but let's continue via
> mail please, we are all very busy as-is.
>
> What can you contribute, concretely? I have
> already set up fuzzing some time ago. Can
> you provide new fuzzers/test cases? If so
> that would be great, just send pull requests
> to the repository.
>
> On Wed, 12 Oct 2022 at 13:10, Amir Montazery
> <amir at ostif.org <mailto:amir at ostif.org>> wrote:
>
> We can help with whatever the project
> needs. The intention is to connect the
> project maintainer(s)/contributor(s)
> with our security team (made up of
> security experts and Google Open Source
> Security engineers) to help where the
> project needs it most. We can help with
> bug fixes, security tooling i.e fuzzing
> and developing fuzzers for the project,
> CI/CD, and anything else that will help
> zeromq be more secure!
>
> Thankfully we have resources to help and
> are able to compensate maintainer(s) who
> participate in the engagement to show
> our gratitude for your time and efforts.
>
> I'd be happy to set up a quick
> introductory call with anyone interested
> in learning more.
>
> Thank you and have a great day!
> Amir
>
> On Tue, Oct 11, 2022 at 10:05 PM Luca
> Boccassi <luca.boccassi at gmail.com
> <mailto:luca.boccassi at gmail.com>> wrote:
>
> Hi,
>
> What kind of support are you able to
> provide?
>
> On Tue, 11 Oct 2022 at 14:30, Amir
> Montazery <amir at ostif.org
> <mailto:amir at ostif.org>> wrote:
>
> Yes, I meant zeromq. Thank you
> Arnaud! That is my mistake.
>
> That’s great news, we have teams
> ready to help. Would you be a
> good person to coordinate that
> with? If anyone else comes to
> mind to include please let me know!
>
> I would be happy to set up a
> quick call to meet and discuss
> how we can best be of service to
> the zeromq project.
>
> Thank you,
> Amir
>
> On Tue, Oct 11, 2022 at 1:22 PM
> Arnaud Loonstra
> <arnaud at sphaero.org
> <mailto:arnaud at sphaero.org>> wrote:
>
> Are you sure you are on the
> right list? This the zeromq
> list not dnsmasq.
>
> We'd appreciate any help for
> sure!
>
> Rg,
>
> Arnaud
>
> On 07-10-2022 21:46, Amir
> Montazery wrote:
> > Hello dnsmasq community!
> OSTIF would like to help
> improve your security
> > posture!
> >
> > I’m Amir from Open Source
> Technology Improvement Fund,
> Inc. OSTIF
> > <https://ostif.org/
> <https://ostif.org/>> is a
> nonprofit solely dedicated
> to helping open
> > source projects improve
> their security for free.
> >
> > We are working with a
> team of Google engineers and
> security experts to
> > help important open
> source projects like
> dnsmasq. This includes helping
> > improve testing,
> reviewing code, implementing
> more security tools, and
> > improving supply chain
> security.
> >
> > Additionally, we
> understand the time
> constraints that open source
> > contributors have, and
> would like to compensate
> contributors for their
> > time working with us.
> >
> > We would love to work
> with you! Please let me know
> who we should be
> > talking to and how we can
> help!
> >
> > Thank you in advance for
> your consideration!
> >
> > Best,
> >
> > Amir
> >
> >
> > --
> > *Amir Montazery*
> > Managing Director
> > Open Source Technology
> Improvement Fund
> > https://ostif.org/
> <https://ostif.org/>
> <https://ostif.org/
> <https://ostif.org/>>
> >
> https://calendly.com/ostif
> <https://calendly.com/ostif>
> <https://calendly.com/ostif
> <https://calendly.com/ostif>>
> >
> >
> >
> _______________________________________________
> > zeromq-dev mailing list
> >
> zeromq-dev at lists.zeromq.org
> <mailto:zeromq-dev at lists.zeromq.org>
> >
> https://lists.zeromq.org/mailman/listinfo/zeromq-dev <https://lists.zeromq.org/mailman/listinfo/zeromq-dev>
> _______________________________________________
> zeromq-dev mailing list
> zeromq-dev at lists.zeromq.org
> <mailto:zeromq-dev at lists.zeromq.org>
> https://lists.zeromq.org/mailman/listinfo/zeromq-dev <https://lists.zeromq.org/mailman/listinfo/zeromq-dev>
>
> --
> *Amir Montazery*
> Managing Director
> Open Source Technology
> Improvement Fund
> https://ostif.org/
> <https://ostif.org/>
> https://calendly.com/ostif
> <https://calendly.com/ostif>
>
> _______________________________________________
> zeromq-dev mailing list
> zeromq-dev at lists.zeromq.org
> <mailto:zeromq-dev at lists.zeromq.org>
> https://lists.zeromq.org/mailman/listinfo/zeromq-dev <https://lists.zeromq.org/mailman/listinfo/zeromq-dev>
>
> _______________________________________________
> zeromq-dev mailing list
> zeromq-dev at lists.zeromq.org
> <mailto:zeromq-dev at lists.zeromq.org>
> https://lists.zeromq.org/mailman/listinfo/zeromq-dev <https://lists.zeromq.org/mailman/listinfo/zeromq-dev>
>
>
>
> --
> *Amir Montazery*
> Managing Director
> Open Source Technology Improvement Fund
> https://ostif.org/ <https://ostif.org/>
> https://calendly.com/ostif
> <https://calendly.com/ostif>
>
> _______________________________________________
> zeromq-dev mailing list
> zeromq-dev at lists.zeromq.org
> <mailto:zeromq-dev at lists.zeromq.org>
> https://lists.zeromq.org/mailman/listinfo/zeromq-dev <https://lists.zeromq.org/mailman/listinfo/zeromq-dev>
>
> _______________________________________________
> zeromq-dev mailing list
> zeromq-dev at lists.zeromq.org
> <mailto:zeromq-dev at lists.zeromq.org>
> https://lists.zeromq.org/mailman/listinfo/zeromq-dev <https://lists.zeromq.org/mailman/listinfo/zeromq-dev>
>
>
>
> --
> *Amir Montazery*
> Managing Director
> Open Source Technology Improvement Fund
> https://ostif.org/ <https://ostif.org/>
> https://calendly.com/ostif
> <https://calendly.com/ostif>
>
> _______________________________________________
> zeromq-dev mailing list
> zeromq-dev at lists.zeromq.org
> <mailto:zeromq-dev at lists.zeromq.org>
> https://lists.zeromq.org/mailman/listinfo/zeromq-dev <https://lists.zeromq.org/mailman/listinfo/zeromq-dev>
>
> _______________________________________________
> zeromq-dev mailing list
> zeromq-dev at lists.zeromq.org
> <mailto:zeromq-dev at lists.zeromq.org>
> https://lists.zeromq.org/mailman/listinfo/zeromq-dev
> <https://lists.zeromq.org/mailman/listinfo/zeromq-dev>
>
>
>
> --
> *Amir Montazery*
> Managing Director
> Open Source Technology Improvement Fund
> https://ostif.org/ <https://ostif.org/>
> https://calendly.com/ostif <https://calendly.com/ostif>
>
>
>
> --
> *Amir Montazery*
> Managing Director
> Open Source Technology Improvement Fund
> https://ostif.org/ <https://ostif.org/>
> https://calendly.com/ostif <https://calendly.com/ostif>
>
> _______________________________________________
> zeromq-dev mailing list
> zeromq-dev at lists.zeromq.org <mailto:zeromq-dev at lists.zeromq.org>
> https://lists.zeromq.org/mailman/listinfo/zeromq-dev
> <https://lists.zeromq.org/mailman/listinfo/zeromq-dev>
>
> _______________________________________________
> zeromq-dev mailing list
> zeromq-dev at lists.zeromq.org <mailto:zeromq-dev at lists.zeromq.org>
> https://lists.zeromq.org/mailman/listinfo/zeromq-dev
> <https://lists.zeromq.org/mailman/listinfo/zeromq-dev>
>
>
>
> --
> *Amir Montazery*
> Managing Director
> Open Source Technology Improvement Fund
> https://ostif.org/ <https://ostif.org/>
> https://calendly.com/ostif <https://calendly.com/ostif>
>
> _______________________________________________
> zeromq-dev mailing list
> zeromq-dev at lists.zeromq.org <mailto:zeromq-dev at lists.zeromq.org>
> https://lists.zeromq.org/mailman/listinfo/zeromq-dev
> <https://lists.zeromq.org/mailman/listinfo/zeromq-dev>
>
>
> _______________________________________________
> zeromq-dev mailing list
> zeromq-dev at lists.zeromq.org
> https://lists.zeromq.org/mailman/listinfo/zeromq-dev
More information about the zeromq-dev
mailing list