[zeromq-dev] Free security help from Google and Open Source Technology Improvement Fund, Inc

Amir Montazery amir at ostif.org
Thu Nov 17 17:32:23 CET 2022


Thank you! How does 3pm UTC on 6th December look?

Thanks again,
Amir

On Wed, Nov 16, 2022 at 1:23 PM Arnaud Loonstra <arnaud at sphaero.org> wrote:

> Before 4pm UTC suits me as well, both days. I prefer the 6th.
>
> Rg,
>
> Arnaud
>
> On 16-11-2022 20:12, Luca Boccassi wrote:
> > For myself, before 4pm or after 7.30pm (UTC) both days
> >
> > On Wed, 16 Nov 2022 at 18:47, Amir Montazery <amir at ostif.org
> > <mailto:amir at ostif.org>> wrote:
> >
> >     Thank you! Many of us are in european timezones as well (I myself am
> >     based in Chicago, USA). Is there a time that works best on Monday,
> >     December 5th or Tuesday, December 6th?
> >
> >     On Tue, Nov 15, 2022 at 5:58 PM Luca Boccassi
> >     <luca.boccassi at gmail.com <mailto:luca.boccassi at gmail.com>> wrote:
> >
> >         Sounds great, thank you - most of us are in the european
> >         timezones, let us know when you have a date/time in mind
> >
> >         On Tue, 15 Nov 2022 at 18:02, Amir Montazery <amir at ostif.org
> >         <mailto:amir at ostif.org>> wrote:
> >
> >             Thank you to everyone who has helped so far! What we can
> >             concretely offer is below under "What you can expect". We
> >             totally understand you maintainers are busy so the process
> >             is designed to be easy for those who participate. We also
> >             have a budget to compensate maintainers who help out
> >             directly (that can go to a nonprofit of the project's choice
> >             as well).
> >
> >             Our first team of security experts is ready to meet the week
> >             of December 5th if you'd like to participate.
> >
> >             p.s The OSTIF team plans to be in Brussels for fosdem so we
> >             hope to see some of you there!
> >
> >             Thank you and let me know who would like to participate.
> >
> >             - Amir
> >
> >
> >             What you can expect
> >
> >             Here are what we’re going to do (and need your help with) in
> >             a nutshell:
> >
> >               *
> >
> >                 We’ll Perform an Initial Assessment
> >
> >                   o
> >
> >                     Meet with you to better understand and ask questions
> >                     about your package – its architecture, design
> >                     choices, known issues, and so on
> >
> >                   o
> >
> >                     Install Scorecard
> >                     <https://github.com/ossf/scorecard#overview>if you
> >                     don’t already have it – this evaluates your
> >                     environment against a set of SDLC best practices
> >                     (see https://securityscorecards.dev/
> >                     <https://securityscorecards.dev/>for more info) –
> >                     and identify opportunities to improve low-scoring
> checks
> >
> >                   o
> >
> >                     Perform a quick code review, get your package to
> >                     build, check for quality and best practices
> >
> >                   o
> >
> >                     Assess whether your package would benefit from
> >                     fuzzing and is compatible with our OSS-Fuzz
> >                     <https://google.github.io/oss-fuzz/>offering.
> >
> >                   o
> >
> >                     Assess whether your package would benefit from SLSA
> >                     <https://slsa.dev/>and/or SBOM
> >                     <
> https://security.googleblog.com/2022/06/sbom-in-action-finding-vulnerabilities.html>,
> software supply chain integrity (SSCI) technologies (for example, do your
> users commonly build from source or consume binaries that you build?)
> >
> >               *
> >
> >                 If Warranted, We’ll Proceed with an In-Depth Review
> >
> >                   o
> >
> >                     Perform an targeted code review on your package to
> >                     identify security vulnerabilities or recommended
> >                     defense-in-depth fixes
> >
> >                   o
> >
> >                     If applicable, integrate your package with the OSS
> >                     Fuzz offering and tune it to achieve maximum
> coverage.
> >
> >                   o
> >
> >                     Improve eligible Scorecard check scores
> >
> >                   o
> >
> >                     Assist you with deploying SLSA and SBOM
> >
> >             Here’s what we’ll ask you to do:
> >
> >               *
> >
> >                 During the Initial Assessment
> >
> >                   o
> >
> >                     Meet with us and our partners in a “kick-off”
> >                     meeting where we’ll ask you a number of questions
> >                     about your package and how it works to build a
> >                     shared threat model and scope the review
> >
> >               *
> >
> >                 During Our In-Depth Review
> >
> >                   o
> >
> >                     Assist us with onboarding your package to OSS-Fuzz
> >                     if applicable, and you’ll be compensated for doing so
> >
> >                   o
> >
> >                     Assist us with improving the Scorecard checks we
> >                     recommend, and you’ll be compensated for each
> >
> >                   o
> >
> >                     Assist us with implementing SLSA and SBOM, if
> >                     applicable, and you’ll be compensated for doing so
> >
> >               *
> >
> >                 After our In-Depth Review
> >
> >                   o
> >
> >                     Review the security vulnerabilities we find (if any)
> >                     and our recommended defense-in-depth fixes (if any),
> >                     and remediate each vulnerability within a reasonable
> >                     timeframe (we’ll work this out with you when the
> >                     time comes), and you’ll be compensated for each
> >
> >                   o
> >
> >                     If applicable, produce a new build that includes all
> >                     of the improvements made during this process
> >
> >
> >
> >
> >
> >
> >             On Mon, Oct 31, 2022 at 11:08 AM Amir Montazery
> >             <amir at ostif.org <mailto:amir at ostif.org>> wrote:
> >
> >                 Awesome! Thank you for that Luca. Apologies for the lag,
> >                 I was in Detroit last week for KubeCon meeting a number
> >                 of projects we've done security engagements with and
> >                 collecting feedback.
> >
> >                 I hope we can sync soon and discuss opportunities to
> >                 help out with zeromq! Our org OSTIF (https://ostif.org/
> >                 <https://ostif.org/>) has been advocating for providing
> >                 free help to open source projects for almost 8 years
> >                 now. We finally have some resources on our bench to help
> >                 projects out with their security needs. I am finalizing
> >                 what exactly that would look like in the next week!
> >
> >                 I'll have updates and resources for you soon. In the
> >                 meantime feel free to reach out with any questions or
> >                 feedback.
> >
> >                 Thank you,
> >                 Amir
> >
> >                 On Wed, Oct 19, 2022 at 1:39 PM Luca Boccassi
> >                 <luca.boccassi at gmail.com
> >                 <mailto:luca.boccassi at gmail.com>> wrote:
> >
> >                     Thanks, existing fuzzers are the *_fuzzer.cpp files
> >                     at:
> >                     https://github.com/zeromq/libzmq/tree/master/tests
> >                     <https://github.com/zeromq/libzmq/tree/master/tests>
> >
> >                     On Wed, 19 Oct 2022 at 16:04, Amir Montazery
> >                     <amir at ostif.org <mailto:amir at ostif.org>> wrote:
> >
> >                         Of course, that is understandable. Thank you all
> >                         for maintaining such an important project
> >                         despite your busy schedules! I hope we can find
> >                         a way to help make your lives easier.
> >
> >                         What we can contribute is a security review by
> >                         an experienced team to assess general design
> >                         review; code quality, defensive programming, and
> >                         best practices, as well as opportunities to
> >                         improve fuzzing. Additional fuzzers can be built
> >                         and the team can integrate the project to
> >                         oss-fuzz for continuous monitoring of security
> >                         issues. Based on our experience, when security
> >                         teams have a line of contact with the project
> >                         maintainers, they can be guided and better
> >                         utilized to help.
> >
> >                         I'm fairly certain that we can provide new
> >                         fuzzers/test cases and will get more specific
> >                         details for you on that.
> >
> >                         Thank you!
> >                         Amir
> >
> >
> >
> >
> >
> >                         On Tue, Oct 18, 2022 at 3:26 PM Luca Boccassi
> >                         <luca.boccassi at gmail.com
> >                         <mailto:luca.boccassi at gmail.com>> wrote:
> >
> >                             Hi,
> >
> >                             Thanks for the offer, but let's continue via
> >                             mail please, we are all very busy as-is.
> >
> >                             What can you contribute, concretely? I have
> >                             already set up fuzzing some time ago. Can
> >                             you provide new fuzzers/test cases? If so
> >                             that would be great, just send pull requests
> >                             to the repository.
> >
> >                             On Wed, 12 Oct 2022 at 13:10, Amir Montazery
> >                             <amir at ostif.org <mailto:amir at ostif.org>>
> wrote:
> >
> >                                 We can help with whatever the project
> >                                 needs. The intention is to connect the
> >                                 project maintainer(s)/contributor(s)
> >                                 with our security team (made up of
> >                                 security experts and Google Open Source
> >                                 Security engineers) to help where the
> >                                 project needs it most. We can help with
> >                                 bug fixes, security tooling i.e fuzzing
> >                                 and developing fuzzers for the project,
> >                                 CI/CD, and anything else that will help
> >                                 zeromq be more secure!
> >
> >                                 Thankfully we have resources to help and
> >                                 are able to compensate maintainer(s) who
> >                                 participate in the engagement to show
> >                                 our gratitude for your time and efforts.
> >
> >                                 I'd be happy to set up a quick
> >                                 introductory call with anyone interested
> >                                 in learning more.
> >
> >                                 Thank you and have a great day!
> >                                 Amir
> >
> >                                 On Tue, Oct 11, 2022 at 10:05 PM Luca
> >                                 Boccassi <luca.boccassi at gmail.com
> >                                 <mailto:luca.boccassi at gmail.com>> wrote:
> >
> >                                     Hi,
> >
> >                                     What kind of support are you able to
> >                                     provide?
> >
> >                                     On Tue, 11 Oct 2022 at 14:30, Amir
> >                                     Montazery <amir at ostif.org
> >                                     <mailto:amir at ostif.org>> wrote:
> >
> >                                         Yes, I meant zeromq. Thank you
> >                                         Arnaud! That is my mistake.
> >
> >                                         That’s great news, we have teams
> >                                         ready to help. Would you be a
> >                                         good person to coordinate that
> >                                         with? If anyone else comes to
> >                                         mind to include please let me
> know!
> >
> >                                         I would be happy to set up a
> >                                         quick call to meet and discuss
> >                                         how we can best be of service to
> >                                         the zeromq project.
> >
> >                                         Thank you,
> >                                         Amir
> >
> >                                         On Tue, Oct 11, 2022 at 1:22 PM
> >                                         Arnaud Loonstra
> >                                         <arnaud at sphaero.org
> >                                         <mailto:arnaud at sphaero.org>>
> wrote:
> >
> >                                             Are you sure you are on the
> >                                             right list? This the zeromq
> >                                             list not dnsmasq.
> >
> >                                             We'd appreciate any help for
> >                                             sure!
> >
> >                                             Rg,
> >
> >                                             Arnaud
> >
> >                                             On 07-10-2022 21:46, Amir
> >                                             Montazery wrote:
> >                                              > Hello dnsmasq community!
> >                                             OSTIF would like to help
> >                                             improve your security
> >                                              > posture!
> >                                              >
> >                                              > I’m Amir from Open Source
> >                                             Technology Improvement Fund,
> >                                             Inc. OSTIF
> >                                              > <https://ostif.org/
> >                                             <https://ostif.org/>> is a
> >                                             nonprofit solely dedicated
> >                                             to helping open
> >                                              > source projects improve
> >                                             their security for free.
> >                                              >
> >                                              > We are working with a
> >                                             team of Google engineers and
> >                                             security experts to
> >                                              > help important open
> >                                             source projects like
> >                                             dnsmasq. This includes
> helping
> >                                              > improve testing,
> >                                             reviewing code, implementing
> >                                             more security tools, and
> >                                              > improving supply chain
> >                                             security.
> >                                              >
> >                                              > Additionally, we
> >                                             understand the time
> >                                             constraints that open source
> >                                              > contributors have, and
> >                                             would like to compensate
> >                                             contributors for their
> >                                              > time working with us.
> >                                              >
> >                                              > We would love to work
> >                                             with you! Please let me know
> >                                             who we should be
> >                                              > talking to and how we can
> >                                             help!
> >                                              >
> >                                              > Thank you in advance for
> >                                             your consideration!
> >                                              >
> >                                              > Best,
> >                                              >
> >                                              > Amir
> >                                              >
> >                                              >
> >                                              > --
> >                                              > *Amir Montazery*
> >                                              > Managing Director
> >                                              > Open Source Technology
> >                                             Improvement Fund
> >                                              > https://ostif.org/
> >                                             <https://ostif.org/>
> >                                             <https://ostif.org/
> >                                             <https://ostif.org/>>
> >                                              >
> >                                             https://calendly.com/ostif
> >                                             <https://calendly.com/ostif>
> >                                             <https://calendly.com/ostif
> >                                             <https://calendly.com/ostif
> >>
> >                                              >
> >                                              >
> >                                              >
> >
>  _______________________________________________
> >                                              > zeromq-dev mailing list
> >                                              >
> >                                             zeromq-dev at lists.zeromq.org
> >                                             <mailto:
> zeromq-dev at lists.zeromq.org>
> >                                              >
> >
> https://lists.zeromq.org/mailman/listinfo/zeromq-dev <
> https://lists.zeromq.org/mailman/listinfo/zeromq-dev>
> >
>  _______________________________________________
> >                                             zeromq-dev mailing list
> >                                             zeromq-dev at lists.zeromq.org
> >                                             <mailto:
> zeromq-dev at lists.zeromq.org>
> >
> https://lists.zeromq.org/mailman/listinfo/zeromq-dev <
> https://lists.zeromq.org/mailman/listinfo/zeromq-dev>
> >
> >                                         --
> >                                         *Amir Montazery*
> >                                         Managing Director
> >                                         Open Source Technology
> >                                         Improvement Fund
> >                                         https://ostif.org/
> >                                         <https://ostif.org/>
> >                                         https://calendly.com/ostif
> >                                         <https://calendly.com/ostif>
> >
> >
>  _______________________________________________
> >                                         zeromq-dev mailing list
> >                                         zeromq-dev at lists.zeromq.org
> >                                         <mailto:
> zeromq-dev at lists.zeromq.org>
> >
> https://lists.zeromq.org/mailman/listinfo/zeromq-dev <
> https://lists.zeromq.org/mailman/listinfo/zeromq-dev>
> >
> >
>  _______________________________________________
> >                                     zeromq-dev mailing list
> >                                     zeromq-dev at lists.zeromq.org
> >                                     <mailto:zeromq-dev at lists.zeromq.org>
> >
> https://lists.zeromq.org/mailman/listinfo/zeromq-dev <
> https://lists.zeromq.org/mailman/listinfo/zeromq-dev>
> >
> >
> >
> >                                 --
> >                                 *Amir Montazery*
> >                                 Managing Director
> >                                 Open Source Technology Improvement Fund
> >                                 https://ostif.org/ <https://ostif.org/>
> >                                 https://calendly.com/ostif
> >                                 <https://calendly.com/ostif>
> >
> >
>  _______________________________________________
> >                                 zeromq-dev mailing list
> >                                 zeromq-dev at lists.zeromq.org
> >                                 <mailto:zeromq-dev at lists.zeromq.org>
> >
> https://lists.zeromq.org/mailman/listinfo/zeromq-dev <
> https://lists.zeromq.org/mailman/listinfo/zeromq-dev>
> >
> >
>  _______________________________________________
> >                             zeromq-dev mailing list
> >                             zeromq-dev at lists.zeromq.org
> >                             <mailto:zeromq-dev at lists.zeromq.org>
> >
> https://lists.zeromq.org/mailman/listinfo/zeromq-dev <
> https://lists.zeromq.org/mailman/listinfo/zeromq-dev>
> >
> >
> >
> >                         --
> >                         *Amir Montazery*
> >                         Managing Director
> >                         Open Source Technology Improvement Fund
> >                         https://ostif.org/ <https://ostif.org/>
> >                         https://calendly.com/ostif
> >                         <https://calendly.com/ostif>
> >
> >                         _______________________________________________
> >                         zeromq-dev mailing list
> >                         zeromq-dev at lists.zeromq.org
> >                         <mailto:zeromq-dev at lists.zeromq.org>
> >
> https://lists.zeromq.org/mailman/listinfo/zeromq-dev <
> https://lists.zeromq.org/mailman/listinfo/zeromq-dev>
> >
> >                     _______________________________________________
> >                     zeromq-dev mailing list
> >                     zeromq-dev at lists.zeromq.org
> >                     <mailto:zeromq-dev at lists.zeromq.org>
> >                     https://lists.zeromq.org/mailman/listinfo/zeromq-dev
> >                     <
> https://lists.zeromq.org/mailman/listinfo/zeromq-dev>
> >
> >
> >
> >                 --
> >                 *Amir Montazery*
> >                 Managing Director
> >                 Open Source Technology Improvement Fund
> >                 https://ostif.org/ <https://ostif.org/>
> >                 https://calendly.com/ostif <https://calendly.com/ostif>
> >
> >
> >
> >             --
> >             *Amir Montazery*
> >             Managing Director
> >             Open Source Technology Improvement Fund
> >             https://ostif.org/ <https://ostif.org/>
> >             https://calendly.com/ostif <https://calendly.com/ostif>
> >
> >             _______________________________________________
> >             zeromq-dev mailing list
> >             zeromq-dev at lists.zeromq.org <mailto:
> zeromq-dev at lists.zeromq.org>
> >             https://lists.zeromq.org/mailman/listinfo/zeromq-dev
> >             <https://lists.zeromq.org/mailman/listinfo/zeromq-dev>
> >
> >         _______________________________________________
> >         zeromq-dev mailing list
> >         zeromq-dev at lists.zeromq.org <mailto:zeromq-dev at lists.zeromq.org>
> >         https://lists.zeromq.org/mailman/listinfo/zeromq-dev
> >         <https://lists.zeromq.org/mailman/listinfo/zeromq-dev>
> >
> >
> >
> >     --
> >     *Amir Montazery*
> >     Managing Director
> >     Open Source Technology Improvement Fund
> >     https://ostif.org/ <https://ostif.org/>
> >     https://calendly.com/ostif <https://calendly.com/ostif>
> >
> >     _______________________________________________
> >     zeromq-dev mailing list
> >     zeromq-dev at lists.zeromq.org <mailto:zeromq-dev at lists.zeromq.org>
> >     https://lists.zeromq.org/mailman/listinfo/zeromq-dev
> >     <https://lists.zeromq.org/mailman/listinfo/zeromq-dev>
> >
> >
> > _______________________________________________
> > zeromq-dev mailing list
> > zeromq-dev at lists.zeromq.org
> > https://lists.zeromq.org/mailman/listinfo/zeromq-dev
> _______________________________________________
> zeromq-dev mailing list
> zeromq-dev at lists.zeromq.org
> https://lists.zeromq.org/mailman/listinfo/zeromq-dev
>


-- 
*Amir Montazery*
Managing Director
Open Source Technology Improvement Fund
https://ostif.org/
https://calendly.com/ostif
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.zeromq.org/pipermail/zeromq-dev/attachments/20221117/38399b44/attachment.htm>


More information about the zeromq-dev mailing list