[zeromq-dev] Free security help from Google and Open Source Technology Improvement Fund, Inc
Amir Montazery
amir at ostif.org
Thu Nov 17 17:32:23 CET 2022
Thank you! How does 3pm UTC on 6th December look?
Thanks again,
Amir
On Wed, Nov 16, 2022 at 1:23 PM Arnaud Loonstra <arnaud at sphaero.org> wrote:
> Before 4pm UTC suits me as well, both days. I prefer the 6th.
>
> Rg,
>
> Arnaud
>
> On 16-11-2022 20:12, Luca Boccassi wrote:
> > For myself, before 4pm or after 7.30pm (UTC) both days
> >
> > On Wed, 16 Nov 2022 at 18:47, Amir Montazery <amir at ostif.org
> > <mailto:amir at ostif.org>> wrote:
> >
> > Thank you! Many of us are in european timezones as well (I myself am
> > based in Chicago, USA). Is there a time that works best on Monday,
> > December 5th or Tuesday, December 6th?
> >
> > On Tue, Nov 15, 2022 at 5:58 PM Luca Boccassi
> > <luca.boccassi at gmail.com <mailto:luca.boccassi at gmail.com>> wrote:
> >
> > Sounds great, thank you - most of us are in the european
> > timezones, let us know when you have a date/time in mind
> >
> > On Tue, 15 Nov 2022 at 18:02, Amir Montazery <amir at ostif.org
> > <mailto:amir at ostif.org>> wrote:
> >
> > Thank you to everyone who has helped so far! What we can
> > concretely offer is below under "What you can expect". We
> > totally understand you maintainers are busy so the process
> > is designed to be easy for those who participate. We also
> > have a budget to compensate maintainers who help out
> > directly (that can go to a nonprofit of the project's choice
> > as well).
> >
> > Our first team of security experts is ready to meet the week
> > of December 5th if you'd like to participate.
> >
> > p.s The OSTIF team plans to be in Brussels for fosdem so we
> > hope to see some of you there!
> >
> > Thank you and let me know who would like to participate.
> >
> > - Amir
> >
> >
> > What you can expect
> >
> > Here are what we’re going to do (and need your help with) in
> > a nutshell:
> >
> > *
> >
> > We’ll Perform an Initial Assessment
> >
> > o
> >
> > Meet with you to better understand and ask questions
> > about your package – its architecture, design
> > choices, known issues, and so on
> >
> > o
> >
> > Install Scorecard
> > <https://github.com/ossf/scorecard#overview>if you
> > don’t already have it – this evaluates your
> > environment against a set of SDLC best practices
> > (see https://securityscorecards.dev/
> > <https://securityscorecards.dev/>for more info) –
> > and identify opportunities to improve low-scoring
> checks
> >
> > o
> >
> > Perform a quick code review, get your package to
> > build, check for quality and best practices
> >
> > o
> >
> > Assess whether your package would benefit from
> > fuzzing and is compatible with our OSS-Fuzz
> > <https://google.github.io/oss-fuzz/>offering.
> >
> > o
> >
> > Assess whether your package would benefit from SLSA
> > <https://slsa.dev/>and/or SBOM
> > <
> https://security.googleblog.com/2022/06/sbom-in-action-finding-vulnerabilities.html>,
> software supply chain integrity (SSCI) technologies (for example, do your
> users commonly build from source or consume binaries that you build?)
> >
> > *
> >
> > If Warranted, We’ll Proceed with an In-Depth Review
> >
> > o
> >
> > Perform an targeted code review on your package to
> > identify security vulnerabilities or recommended
> > defense-in-depth fixes
> >
> > o
> >
> > If applicable, integrate your package with the OSS
> > Fuzz offering and tune it to achieve maximum
> coverage.
> >
> > o
> >
> > Improve eligible Scorecard check scores
> >
> > o
> >
> > Assist you with deploying SLSA and SBOM
> >
> > Here’s what we’ll ask you to do:
> >
> > *
> >
> > During the Initial Assessment
> >
> > o
> >
> > Meet with us and our partners in a “kick-off”
> > meeting where we’ll ask you a number of questions
> > about your package and how it works to build a
> > shared threat model and scope the review
> >
> > *
> >
> > During Our In-Depth Review
> >
> > o
> >
> > Assist us with onboarding your package to OSS-Fuzz
> > if applicable, and you’ll be compensated for doing so
> >
> > o
> >
> > Assist us with improving the Scorecard checks we
> > recommend, and you’ll be compensated for each
> >
> > o
> >
> > Assist us with implementing SLSA and SBOM, if
> > applicable, and you’ll be compensated for doing so
> >
> > *
> >
> > After our In-Depth Review
> >
> > o
> >
> > Review the security vulnerabilities we find (if any)
> > and our recommended defense-in-depth fixes (if any),
> > and remediate each vulnerability within a reasonable
> > timeframe (we’ll work this out with you when the
> > time comes), and you’ll be compensated for each
> >
> > o
> >
> > If applicable, produce a new build that includes all
> > of the improvements made during this process
> >
> >
> >
> >
> >
> >
> > On Mon, Oct 31, 2022 at 11:08 AM Amir Montazery
> > <amir at ostif.org <mailto:amir at ostif.org>> wrote:
> >
> > Awesome! Thank you for that Luca. Apologies for the lag,
> > I was in Detroit last week for KubeCon meeting a number
> > of projects we've done security engagements with and
> > collecting feedback.
> >
> > I hope we can sync soon and discuss opportunities to
> > help out with zeromq! Our org OSTIF (https://ostif.org/
> > <https://ostif.org/>) has been advocating for providing
> > free help to open source projects for almost 8 years
> > now. We finally have some resources on our bench to help
> > projects out with their security needs. I am finalizing
> > what exactly that would look like in the next week!
> >
> > I'll have updates and resources for you soon. In the
> > meantime feel free to reach out with any questions or
> > feedback.
> >
> > Thank you,
> > Amir
> >
> > On Wed, Oct 19, 2022 at 1:39 PM Luca Boccassi
> > <luca.boccassi at gmail.com
> > <mailto:luca.boccassi at gmail.com>> wrote:
> >
> > Thanks, existing fuzzers are the *_fuzzer.cpp files
> > at:
> > https://github.com/zeromq/libzmq/tree/master/tests
> > <https://github.com/zeromq/libzmq/tree/master/tests>
> >
> > On Wed, 19 Oct 2022 at 16:04, Amir Montazery
> > <amir at ostif.org <mailto:amir at ostif.org>> wrote:
> >
> > Of course, that is understandable. Thank you all
> > for maintaining such an important project
> > despite your busy schedules! I hope we can find
> > a way to help make your lives easier.
> >
> > What we can contribute is a security review by
> > an experienced team to assess general design
> > review; code quality, defensive programming, and
> > best practices, as well as opportunities to
> > improve fuzzing. Additional fuzzers can be built
> > and the team can integrate the project to
> > oss-fuzz for continuous monitoring of security
> > issues. Based on our experience, when security
> > teams have a line of contact with the project
> > maintainers, they can be guided and better
> > utilized to help.
> >
> > I'm fairly certain that we can provide new
> > fuzzers/test cases and will get more specific
> > details for you on that.
> >
> > Thank you!
> > Amir
> >
> >
> >
> >
> >
> > On Tue, Oct 18, 2022 at 3:26 PM Luca Boccassi
> > <luca.boccassi at gmail.com
> > <mailto:luca.boccassi at gmail.com>> wrote:
> >
> > Hi,
> >
> > Thanks for the offer, but let's continue via
> > mail please, we are all very busy as-is.
> >
> > What can you contribute, concretely? I have
> > already set up fuzzing some time ago. Can
> > you provide new fuzzers/test cases? If so
> > that would be great, just send pull requests
> > to the repository.
> >
> > On Wed, 12 Oct 2022 at 13:10, Amir Montazery
> > <amir at ostif.org <mailto:amir at ostif.org>>
> wrote:
> >
> > We can help with whatever the project
> > needs. The intention is to connect the
> > project maintainer(s)/contributor(s)
> > with our security team (made up of
> > security experts and Google Open Source
> > Security engineers) to help where the
> > project needs it most. We can help with
> > bug fixes, security tooling i.e fuzzing
> > and developing fuzzers for the project,
> > CI/CD, and anything else that will help
> > zeromq be more secure!
> >
> > Thankfully we have resources to help and
> > are able to compensate maintainer(s) who
> > participate in the engagement to show
> > our gratitude for your time and efforts.
> >
> > I'd be happy to set up a quick
> > introductory call with anyone interested
> > in learning more.
> >
> > Thank you and have a great day!
> > Amir
> >
> > On Tue, Oct 11, 2022 at 10:05 PM Luca
> > Boccassi <luca.boccassi at gmail.com
> > <mailto:luca.boccassi at gmail.com>> wrote:
> >
> > Hi,
> >
> > What kind of support are you able to
> > provide?
> >
> > On Tue, 11 Oct 2022 at 14:30, Amir
> > Montazery <amir at ostif.org
> > <mailto:amir at ostif.org>> wrote:
> >
> > Yes, I meant zeromq. Thank you
> > Arnaud! That is my mistake.
> >
> > That’s great news, we have teams
> > ready to help. Would you be a
> > good person to coordinate that
> > with? If anyone else comes to
> > mind to include please let me
> know!
> >
> > I would be happy to set up a
> > quick call to meet and discuss
> > how we can best be of service to
> > the zeromq project.
> >
> > Thank you,
> > Amir
> >
> > On Tue, Oct 11, 2022 at 1:22 PM
> > Arnaud Loonstra
> > <arnaud at sphaero.org
> > <mailto:arnaud at sphaero.org>>
> wrote:
> >
> > Are you sure you are on the
> > right list? This the zeromq
> > list not dnsmasq.
> >
> > We'd appreciate any help for
> > sure!
> >
> > Rg,
> >
> > Arnaud
> >
> > On 07-10-2022 21:46, Amir
> > Montazery wrote:
> > > Hello dnsmasq community!
> > OSTIF would like to help
> > improve your security
> > > posture!
> > >
> > > I’m Amir from Open Source
> > Technology Improvement Fund,
> > Inc. OSTIF
> > > <https://ostif.org/
> > <https://ostif.org/>> is a
> > nonprofit solely dedicated
> > to helping open
> > > source projects improve
> > their security for free.
> > >
> > > We are working with a
> > team of Google engineers and
> > security experts to
> > > help important open
> > source projects like
> > dnsmasq. This includes
> helping
> > > improve testing,
> > reviewing code, implementing
> > more security tools, and
> > > improving supply chain
> > security.
> > >
> > > Additionally, we
> > understand the time
> > constraints that open source
> > > contributors have, and
> > would like to compensate
> > contributors for their
> > > time working with us.
> > >
> > > We would love to work
> > with you! Please let me know
> > who we should be
> > > talking to and how we can
> > help!
> > >
> > > Thank you in advance for
> > your consideration!
> > >
> > > Best,
> > >
> > > Amir
> > >
> > >
> > > --
> > > *Amir Montazery*
> > > Managing Director
> > > Open Source Technology
> > Improvement Fund
> > > https://ostif.org/
> > <https://ostif.org/>
> > <https://ostif.org/
> > <https://ostif.org/>>
> > >
> > https://calendly.com/ostif
> > <https://calendly.com/ostif>
> > <https://calendly.com/ostif
> > <https://calendly.com/ostif
> >>
> > >
> > >
> > >
> >
> _______________________________________________
> > > zeromq-dev mailing list
> > >
> > zeromq-dev at lists.zeromq.org
> > <mailto:
> zeromq-dev at lists.zeromq.org>
> > >
> >
> https://lists.zeromq.org/mailman/listinfo/zeromq-dev <
> https://lists.zeromq.org/mailman/listinfo/zeromq-dev>
> >
> _______________________________________________
> > zeromq-dev mailing list
> > zeromq-dev at lists.zeromq.org
> > <mailto:
> zeromq-dev at lists.zeromq.org>
> >
> https://lists.zeromq.org/mailman/listinfo/zeromq-dev <
> https://lists.zeromq.org/mailman/listinfo/zeromq-dev>
> >
> > --
> > *Amir Montazery*
> > Managing Director
> > Open Source Technology
> > Improvement Fund
> > https://ostif.org/
> > <https://ostif.org/>
> > https://calendly.com/ostif
> > <https://calendly.com/ostif>
> >
> >
> _______________________________________________
> > zeromq-dev mailing list
> > zeromq-dev at lists.zeromq.org
> > <mailto:
> zeromq-dev at lists.zeromq.org>
> >
> https://lists.zeromq.org/mailman/listinfo/zeromq-dev <
> https://lists.zeromq.org/mailman/listinfo/zeromq-dev>
> >
> >
> _______________________________________________
> > zeromq-dev mailing list
> > zeromq-dev at lists.zeromq.org
> > <mailto:zeromq-dev at lists.zeromq.org>
> >
> https://lists.zeromq.org/mailman/listinfo/zeromq-dev <
> https://lists.zeromq.org/mailman/listinfo/zeromq-dev>
> >
> >
> >
> > --
> > *Amir Montazery*
> > Managing Director
> > Open Source Technology Improvement Fund
> > https://ostif.org/ <https://ostif.org/>
> > https://calendly.com/ostif
> > <https://calendly.com/ostif>
> >
> >
> _______________________________________________
> > zeromq-dev mailing list
> > zeromq-dev at lists.zeromq.org
> > <mailto:zeromq-dev at lists.zeromq.org>
> >
> https://lists.zeromq.org/mailman/listinfo/zeromq-dev <
> https://lists.zeromq.org/mailman/listinfo/zeromq-dev>
> >
> >
> _______________________________________________
> > zeromq-dev mailing list
> > zeromq-dev at lists.zeromq.org
> > <mailto:zeromq-dev at lists.zeromq.org>
> >
> https://lists.zeromq.org/mailman/listinfo/zeromq-dev <
> https://lists.zeromq.org/mailman/listinfo/zeromq-dev>
> >
> >
> >
> > --
> > *Amir Montazery*
> > Managing Director
> > Open Source Technology Improvement Fund
> > https://ostif.org/ <https://ostif.org/>
> > https://calendly.com/ostif
> > <https://calendly.com/ostif>
> >
> > _______________________________________________
> > zeromq-dev mailing list
> > zeromq-dev at lists.zeromq.org
> > <mailto:zeromq-dev at lists.zeromq.org>
> >
> https://lists.zeromq.org/mailman/listinfo/zeromq-dev <
> https://lists.zeromq.org/mailman/listinfo/zeromq-dev>
> >
> > _______________________________________________
> > zeromq-dev mailing list
> > zeromq-dev at lists.zeromq.org
> > <mailto:zeromq-dev at lists.zeromq.org>
> > https://lists.zeromq.org/mailman/listinfo/zeromq-dev
> > <
> https://lists.zeromq.org/mailman/listinfo/zeromq-dev>
> >
> >
> >
> > --
> > *Amir Montazery*
> > Managing Director
> > Open Source Technology Improvement Fund
> > https://ostif.org/ <https://ostif.org/>
> > https://calendly.com/ostif <https://calendly.com/ostif>
> >
> >
> >
> > --
> > *Amir Montazery*
> > Managing Director
> > Open Source Technology Improvement Fund
> > https://ostif.org/ <https://ostif.org/>
> > https://calendly.com/ostif <https://calendly.com/ostif>
> >
> > _______________________________________________
> > zeromq-dev mailing list
> > zeromq-dev at lists.zeromq.org <mailto:
> zeromq-dev at lists.zeromq.org>
> > https://lists.zeromq.org/mailman/listinfo/zeromq-dev
> > <https://lists.zeromq.org/mailman/listinfo/zeromq-dev>
> >
> > _______________________________________________
> > zeromq-dev mailing list
> > zeromq-dev at lists.zeromq.org <mailto:zeromq-dev at lists.zeromq.org>
> > https://lists.zeromq.org/mailman/listinfo/zeromq-dev
> > <https://lists.zeromq.org/mailman/listinfo/zeromq-dev>
> >
> >
> >
> > --
> > *Amir Montazery*
> > Managing Director
> > Open Source Technology Improvement Fund
> > https://ostif.org/ <https://ostif.org/>
> > https://calendly.com/ostif <https://calendly.com/ostif>
> >
> > _______________________________________________
> > zeromq-dev mailing list
> > zeromq-dev at lists.zeromq.org <mailto:zeromq-dev at lists.zeromq.org>
> > https://lists.zeromq.org/mailman/listinfo/zeromq-dev
> > <https://lists.zeromq.org/mailman/listinfo/zeromq-dev>
> >
> >
> > _______________________________________________
> > zeromq-dev mailing list
> > zeromq-dev at lists.zeromq.org
> > https://lists.zeromq.org/mailman/listinfo/zeromq-dev
> _______________________________________________
> zeromq-dev mailing list
> zeromq-dev at lists.zeromq.org
> https://lists.zeromq.org/mailman/listinfo/zeromq-dev
>
--
*Amir Montazery*
Managing Director
Open Source Technology Improvement Fund
https://ostif.org/
https://calendly.com/ostif
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.zeromq.org/pipermail/zeromq-dev/attachments/20221117/38399b44/attachment.htm>
More information about the zeromq-dev
mailing list