[zeromq-dev] Free security help from Google and Open Source Technology Improvement Fund, Inc
Luca Boccassi
luca.boccassi at gmail.com
Thu Nov 17 17:56:01 CET 2022
Sounds good for me, thank you
On Thu, 17 Nov 2022 at 16:36, Amir Montazery <amir at ostif.org> wrote:
> Thank you! How does 3pm UTC on 6th December look?
>
> Thanks again,
> Amir
>
> On Wed, Nov 16, 2022 at 1:23 PM Arnaud Loonstra <arnaud at sphaero.org>
> wrote:
>
>> Before 4pm UTC suits me as well, both days. I prefer the 6th.
>>
>> Rg,
>>
>> Arnaud
>>
>> On 16-11-2022 20:12, Luca Boccassi wrote:
>> > For myself, before 4pm or after 7.30pm (UTC) both days
>> >
>> > On Wed, 16 Nov 2022 at 18:47, Amir Montazery <amir at ostif.org
>> > <mailto:amir at ostif.org>> wrote:
>> >
>> > Thank you! Many of us are in european timezones as well (I myself am
>> > based in Chicago, USA). Is there a time that works best on Monday,
>> > December 5th or Tuesday, December 6th?
>> >
>> > On Tue, Nov 15, 2022 at 5:58 PM Luca Boccassi
>> > <luca.boccassi at gmail.com <mailto:luca.boccassi at gmail.com>> wrote:
>> >
>> > Sounds great, thank you - most of us are in the european
>> > timezones, let us know when you have a date/time in mind
>> >
>> > On Tue, 15 Nov 2022 at 18:02, Amir Montazery <amir at ostif.org
>> > <mailto:amir at ostif.org>> wrote:
>> >
>> > Thank you to everyone who has helped so far! What we can
>> > concretely offer is below under "What you can expect". We
>> > totally understand you maintainers are busy so the process
>> > is designed to be easy for those who participate. We also
>> > have a budget to compensate maintainers who help out
>> > directly (that can go to a nonprofit of the project's choice
>> > as well).
>> >
>> > Our first team of security experts is ready to meet the week
>> > of December 5th if you'd like to participate.
>> >
>> > p.s The OSTIF team plans to be in Brussels for fosdem so we
>> > hope to see some of you there!
>> >
>> > Thank you and let me know who would like to participate.
>> >
>> > - Amir
>> >
>> >
>> > What you can expect
>> >
>> > Here are what we’re going to do (and need your help with) in
>> > a nutshell:
>> >
>> > *
>> >
>> > We’ll Perform an Initial Assessment
>> >
>> > o
>> >
>> > Meet with you to better understand and ask questions
>> > about your package – its architecture, design
>> > choices, known issues, and so on
>> >
>> > o
>> >
>> > Install Scorecard
>> > <https://github.com/ossf/scorecard#overview>if you
>> > don’t already have it – this evaluates your
>> > environment against a set of SDLC best practices
>> > (see https://securityscorecards.dev/
>> > <https://securityscorecards.dev/>for more info) –
>> > and identify opportunities to improve low-scoring
>> checks
>> >
>> > o
>> >
>> > Perform a quick code review, get your package to
>> > build, check for quality and best practices
>> >
>> > o
>> >
>> > Assess whether your package would benefit from
>> > fuzzing and is compatible with our OSS-Fuzz
>> > <https://google.github.io/oss-fuzz/>offering.
>> >
>> > o
>> >
>> > Assess whether your package would benefit from SLSA
>> > <https://slsa.dev/>and/or SBOM
>> > <
>> https://security.googleblog.com/2022/06/sbom-in-action-finding-vulnerabilities.html>,
>> software supply chain integrity (SSCI) technologies (for example, do your
>> users commonly build from source or consume binaries that you build?)
>> >
>> > *
>> >
>> > If Warranted, We’ll Proceed with an In-Depth Review
>> >
>> > o
>> >
>> > Perform an targeted code review on your package to
>> > identify security vulnerabilities or recommended
>> > defense-in-depth fixes
>> >
>> > o
>> >
>> > If applicable, integrate your package with the OSS
>> > Fuzz offering and tune it to achieve maximum
>> coverage.
>> >
>> > o
>> >
>> > Improve eligible Scorecard check scores
>> >
>> > o
>> >
>> > Assist you with deploying SLSA and SBOM
>> >
>> > Here’s what we’ll ask you to do:
>> >
>> > *
>> >
>> > During the Initial Assessment
>> >
>> > o
>> >
>> > Meet with us and our partners in a “kick-off”
>> > meeting where we’ll ask you a number of questions
>> > about your package and how it works to build a
>> > shared threat model and scope the review
>> >
>> > *
>> >
>> > During Our In-Depth Review
>> >
>> > o
>> >
>> > Assist us with onboarding your package to OSS-Fuzz
>> > if applicable, and you’ll be compensated for doing
>> so
>> >
>> > o
>> >
>> > Assist us with improving the Scorecard checks we
>> > recommend, and you’ll be compensated for each
>> >
>> > o
>> >
>> > Assist us with implementing SLSA and SBOM, if
>> > applicable, and you’ll be compensated for doing so
>> >
>> > *
>> >
>> > After our In-Depth Review
>> >
>> > o
>> >
>> > Review the security vulnerabilities we find (if any)
>> > and our recommended defense-in-depth fixes (if any),
>> > and remediate each vulnerability within a reasonable
>> > timeframe (we’ll work this out with you when the
>> > time comes), and you’ll be compensated for each
>> >
>> > o
>> >
>> > If applicable, produce a new build that includes all
>> > of the improvements made during this process
>> >
>> >
>> >
>> >
>> >
>> >
>> > On Mon, Oct 31, 2022 at 11:08 AM Amir Montazery
>> > <amir at ostif.org <mailto:amir at ostif.org>> wrote:
>> >
>> > Awesome! Thank you for that Luca. Apologies for the lag,
>> > I was in Detroit last week for KubeCon meeting a number
>> > of projects we've done security engagements with and
>> > collecting feedback.
>> >
>> > I hope we can sync soon and discuss opportunities to
>> > help out with zeromq! Our org OSTIF (https://ostif.org/
>> > <https://ostif.org/>) has been advocating for providing
>> > free help to open source projects for almost 8 years
>> > now. We finally have some resources on our bench to help
>> > projects out with their security needs. I am finalizing
>> > what exactly that would look like in the next week!
>> >
>> > I'll have updates and resources for you soon. In the
>> > meantime feel free to reach out with any questions or
>> > feedback.
>> >
>> > Thank you,
>> > Amir
>> >
>> > On Wed, Oct 19, 2022 at 1:39 PM Luca Boccassi
>> > <luca.boccassi at gmail.com
>> > <mailto:luca.boccassi at gmail.com>> wrote:
>> >
>> > Thanks, existing fuzzers are the *_fuzzer.cpp files
>> > at:
>> > https://github.com/zeromq/libzmq/tree/master/tests
>> > <https://github.com/zeromq/libzmq/tree/master/tests
>> >
>> >
>> > On Wed, 19 Oct 2022 at 16:04, Amir Montazery
>> > <amir at ostif.org <mailto:amir at ostif.org>> wrote:
>> >
>> > Of course, that is understandable. Thank you all
>> > for maintaining such an important project
>> > despite your busy schedules! I hope we can find
>> > a way to help make your lives easier.
>> >
>> > What we can contribute is a security review by
>> > an experienced team to assess general design
>> > review; code quality, defensive programming, and
>> > best practices, as well as opportunities to
>> > improve fuzzing. Additional fuzzers can be built
>> > and the team can integrate the project to
>> > oss-fuzz for continuous monitoring of security
>> > issues. Based on our experience, when security
>> > teams have a line of contact with the project
>> > maintainers, they can be guided and better
>> > utilized to help.
>> >
>> > I'm fairly certain that we can provide new
>> > fuzzers/test cases and will get more specific
>> > details for you on that.
>> >
>> > Thank you!
>> > Amir
>> >
>> >
>> >
>> >
>> >
>> > On Tue, Oct 18, 2022 at 3:26 PM Luca Boccassi
>> > <luca.boccassi at gmail.com
>> > <mailto:luca.boccassi at gmail.com>> wrote:
>> >
>> > Hi,
>> >
>> > Thanks for the offer, but let's continue via
>> > mail please, we are all very busy as-is.
>> >
>> > What can you contribute, concretely? I have
>> > already set up fuzzing some time ago. Can
>> > you provide new fuzzers/test cases? If so
>> > that would be great, just send pull requests
>> > to the repository.
>> >
>> > On Wed, 12 Oct 2022 at 13:10, Amir Montazery
>> > <amir at ostif.org <mailto:amir at ostif.org>>
>> wrote:
>> >
>> > We can help with whatever the project
>> > needs. The intention is to connect the
>> > project maintainer(s)/contributor(s)
>> > with our security team (made up of
>> > security experts and Google Open Source
>> > Security engineers) to help where the
>> > project needs it most. We can help with
>> > bug fixes, security tooling i.e fuzzing
>> > and developing fuzzers for the project,
>> > CI/CD, and anything else that will help
>> > zeromq be more secure!
>> >
>> > Thankfully we have resources to help and
>> > are able to compensate maintainer(s) who
>> > participate in the engagement to show
>> > our gratitude for your time and efforts.
>> >
>> > I'd be happy to set up a quick
>> > introductory call with anyone interested
>> > in learning more.
>> >
>> > Thank you and have a great day!
>> > Amir
>> >
>> > On Tue, Oct 11, 2022 at 10:05 PM Luca
>> > Boccassi <luca.boccassi at gmail.com
>> > <mailto:luca.boccassi at gmail.com>>
>> wrote:
>> >
>> > Hi,
>> >
>> > What kind of support are you able to
>> > provide?
>> >
>> > On Tue, 11 Oct 2022 at 14:30, Amir
>> > Montazery <amir at ostif.org
>> > <mailto:amir at ostif.org>> wrote:
>> >
>> > Yes, I meant zeromq. Thank you
>> > Arnaud! That is my mistake.
>> >
>> > That’s great news, we have teams
>> > ready to help. Would you be a
>> > good person to coordinate that
>> > with? If anyone else comes to
>> > mind to include please let me
>> know!
>> >
>> > I would be happy to set up a
>> > quick call to meet and discuss
>> > how we can best be of service to
>> > the zeromq project.
>> >
>> > Thank you,
>> > Amir
>> >
>> > On Tue, Oct 11, 2022 at 1:22 PM
>> > Arnaud Loonstra
>> > <arnaud at sphaero.org
>> > <mailto:arnaud at sphaero.org>>
>> wrote:
>> >
>> > Are you sure you are on the
>> > right list? This the zeromq
>> > list not dnsmasq.
>> >
>> > We'd appreciate any help for
>> > sure!
>> >
>> > Rg,
>> >
>> > Arnaud
>> >
>> > On 07-10-2022 21:46, Amir
>> > Montazery wrote:
>> > > Hello dnsmasq community!
>> > OSTIF would like to help
>> > improve your security
>> > > posture!
>> > >
>> > > I’m Amir from Open Source
>> > Technology Improvement Fund,
>> > Inc. OSTIF
>> > > <https://ostif.org/
>> > <https://ostif.org/>> is a
>> > nonprofit solely dedicated
>> > to helping open
>> > > source projects improve
>> > their security for free.
>> > >
>> > > We are working with a
>> > team of Google engineers and
>> > security experts to
>> > > help important open
>> > source projects like
>> > dnsmasq. This includes
>> helping
>> > > improve testing,
>> > reviewing code, implementing
>> > more security tools, and
>> > > improving supply chain
>> > security.
>> > >
>> > > Additionally, we
>> > understand the time
>> > constraints that open source
>> > > contributors have, and
>> > would like to compensate
>> > contributors for their
>> > > time working with us.
>> > >
>> > > We would love to work
>> > with you! Please let me know
>> > who we should be
>> > > talking to and how we can
>> > help!
>> > >
>> > > Thank you in advance for
>> > your consideration!
>> > >
>> > > Best,
>> > >
>> > > Amir
>> > >
>> > >
>> > > --
>> > > *Amir Montazery*
>> > > Managing Director
>> > > Open Source Technology
>> > Improvement Fund
>> > > https://ostif.org/
>> > <https://ostif.org/>
>> > <https://ostif.org/
>> > <https://ostif.org/>>
>> > >
>> > https://calendly.com/ostif
>> > <https://calendly.com/ostif
>> >
>> > <https://calendly.com/ostif
>> > <https://calendly.com/ostif
>> >>
>> > >
>> > >
>> > >
>> >
>> _______________________________________________
>> > > zeromq-dev mailing list
>> > >
>> > zeromq-dev at lists.zeromq.org
>> > <mailto:
>> zeromq-dev at lists.zeromq.org>
>> > >
>> >
>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev <
>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev>
>> >
>> _______________________________________________
>> > zeromq-dev mailing list
>> > zeromq-dev at lists.zeromq.org
>> > <mailto:
>> zeromq-dev at lists.zeromq.org>
>> >
>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev <
>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev>
>> >
>> > --
>> > *Amir Montazery*
>> > Managing Director
>> > Open Source Technology
>> > Improvement Fund
>> > https://ostif.org/
>> > <https://ostif.org/>
>> > https://calendly.com/ostif
>> > <https://calendly.com/ostif>
>> >
>> >
>> _______________________________________________
>> > zeromq-dev mailing list
>> > zeromq-dev at lists.zeromq.org
>> > <mailto:
>> zeromq-dev at lists.zeromq.org>
>> >
>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev <
>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev>
>> >
>> >
>> _______________________________________________
>> > zeromq-dev mailing list
>> > zeromq-dev at lists.zeromq.org
>> > <mailto:zeromq-dev at lists.zeromq.org
>> >
>> >
>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev <
>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev>
>> >
>> >
>> >
>> > --
>> > *Amir Montazery*
>> > Managing Director
>> > Open Source Technology Improvement Fund
>> > https://ostif.org/ <https://ostif.org/>
>> > https://calendly.com/ostif
>> > <https://calendly.com/ostif>
>> >
>> >
>> _______________________________________________
>> > zeromq-dev mailing list
>> > zeromq-dev at lists.zeromq.org
>> > <mailto:zeromq-dev at lists.zeromq.org>
>> >
>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev <
>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev>
>> >
>> >
>> _______________________________________________
>> > zeromq-dev mailing list
>> > zeromq-dev at lists.zeromq.org
>> > <mailto:zeromq-dev at lists.zeromq.org>
>> >
>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev <
>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev>
>> >
>> >
>> >
>> > --
>> > *Amir Montazery*
>> > Managing Director
>> > Open Source Technology Improvement Fund
>> > https://ostif.org/ <https://ostif.org/>
>> > https://calendly.com/ostif
>> > <https://calendly.com/ostif>
>> >
>> > _______________________________________________
>> > zeromq-dev mailing list
>> > zeromq-dev at lists.zeromq.org
>> > <mailto:zeromq-dev at lists.zeromq.org>
>> >
>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev <
>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev>
>> >
>> > _______________________________________________
>> > zeromq-dev mailing list
>> > zeromq-dev at lists.zeromq.org
>> > <mailto:zeromq-dev at lists.zeromq.org>
>> >
>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev
>> > <
>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev>
>> >
>> >
>> >
>> > --
>> > *Amir Montazery*
>> > Managing Director
>> > Open Source Technology Improvement Fund
>> > https://ostif.org/ <https://ostif.org/>
>> > https://calendly.com/ostif <https://calendly.com/ostif>
>> >
>> >
>> >
>> > --
>> > *Amir Montazery*
>> > Managing Director
>> > Open Source Technology Improvement Fund
>> > https://ostif.org/ <https://ostif.org/>
>> > https://calendly.com/ostif <https://calendly.com/ostif>
>> >
>> > _______________________________________________
>> > zeromq-dev mailing list
>> > zeromq-dev at lists.zeromq.org <mailto:
>> zeromq-dev at lists.zeromq.org>
>> > https://lists.zeromq.org/mailman/listinfo/zeromq-dev
>> > <https://lists.zeromq.org/mailman/listinfo/zeromq-dev>
>> >
>> > _______________________________________________
>> > zeromq-dev mailing list
>> > zeromq-dev at lists.zeromq.org <mailto:zeromq-dev at lists.zeromq.org
>> >
>> > https://lists.zeromq.org/mailman/listinfo/zeromq-dev
>> > <https://lists.zeromq.org/mailman/listinfo/zeromq-dev>
>> >
>> >
>> >
>> > --
>> > *Amir Montazery*
>> > Managing Director
>> > Open Source Technology Improvement Fund
>> > https://ostif.org/ <https://ostif.org/>
>> > https://calendly.com/ostif <https://calendly.com/ostif>
>> >
>> > _______________________________________________
>> > zeromq-dev mailing list
>> > zeromq-dev at lists.zeromq.org <mailto:zeromq-dev at lists.zeromq.org>
>> > https://lists.zeromq.org/mailman/listinfo/zeromq-dev
>> > <https://lists.zeromq.org/mailman/listinfo/zeromq-dev>
>> >
>> >
>> > _______________________________________________
>> > zeromq-dev mailing list
>> > zeromq-dev at lists.zeromq.org
>> > https://lists.zeromq.org/mailman/listinfo/zeromq-dev
>> _______________________________________________
>> zeromq-dev mailing list
>> zeromq-dev at lists.zeromq.org
>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev
>>
>
>
> --
> *Amir Montazery*
> Managing Director
> Open Source Technology Improvement Fund
> https://ostif.org/
> https://calendly.com/ostif
>
> _______________________________________________
> zeromq-dev mailing list
> zeromq-dev at lists.zeromq.org
> https://lists.zeromq.org/mailman/listinfo/zeromq-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.zeromq.org/pipermail/zeromq-dev/attachments/20221117/82ec0e55/attachment.htm>
More information about the zeromq-dev
mailing list