[zeromq-dev] Free security help from Google and Open Source Technology Improvement Fund, Inc

Luca Boccassi luca.boccassi at gmail.com
Thu Nov 17 17:56:01 CET 2022


Sounds good for me, thank you

On Thu, 17 Nov 2022 at 16:36, Amir Montazery <amir at ostif.org> wrote:

> Thank you! How does 3pm UTC on 6th December look?
>
> Thanks again,
> Amir
>
> On Wed, Nov 16, 2022 at 1:23 PM Arnaud Loonstra <arnaud at sphaero.org>
> wrote:
>
>> Before 4pm UTC suits me as well, both days. I prefer the 6th.
>>
>> Rg,
>>
>> Arnaud
>>
>> On 16-11-2022 20:12, Luca Boccassi wrote:
>> > For myself, before 4pm or after 7.30pm (UTC) both days
>> >
>> > On Wed, 16 Nov 2022 at 18:47, Amir Montazery <amir at ostif.org
>> > <mailto:amir at ostif.org>> wrote:
>> >
>> >     Thank you! Many of us are in european timezones as well (I myself am
>> >     based in Chicago, USA). Is there a time that works best on Monday,
>> >     December 5th or Tuesday, December 6th?
>> >
>> >     On Tue, Nov 15, 2022 at 5:58 PM Luca Boccassi
>> >     <luca.boccassi at gmail.com <mailto:luca.boccassi at gmail.com>> wrote:
>> >
>> >         Sounds great, thank you - most of us are in the european
>> >         timezones, let us know when you have a date/time in mind
>> >
>> >         On Tue, 15 Nov 2022 at 18:02, Amir Montazery <amir at ostif.org
>> >         <mailto:amir at ostif.org>> wrote:
>> >
>> >             Thank you to everyone who has helped so far! What we can
>> >             concretely offer is below under "What you can expect". We
>> >             totally understand you maintainers are busy so the process
>> >             is designed to be easy for those who participate. We also
>> >             have a budget to compensate maintainers who help out
>> >             directly (that can go to a nonprofit of the project's choice
>> >             as well).
>> >
>> >             Our first team of security experts is ready to meet the week
>> >             of December 5th if you'd like to participate.
>> >
>> >             p.s The OSTIF team plans to be in Brussels for fosdem so we
>> >             hope to see some of you there!
>> >
>> >             Thank you and let me know who would like to participate.
>> >
>> >             - Amir
>> >
>> >
>> >             What you can expect
>> >
>> >             Here are what we’re going to do (and need your help with) in
>> >             a nutshell:
>> >
>> >               *
>> >
>> >                 We’ll Perform an Initial Assessment
>> >
>> >                   o
>> >
>> >                     Meet with you to better understand and ask questions
>> >                     about your package – its architecture, design
>> >                     choices, known issues, and so on
>> >
>> >                   o
>> >
>> >                     Install Scorecard
>> >                     <https://github.com/ossf/scorecard#overview>if you
>> >                     don’t already have it – this evaluates your
>> >                     environment against a set of SDLC best practices
>> >                     (see https://securityscorecards.dev/
>> >                     <https://securityscorecards.dev/>for more info) –
>> >                     and identify opportunities to improve low-scoring
>> checks
>> >
>> >                   o
>> >
>> >                     Perform a quick code review, get your package to
>> >                     build, check for quality and best practices
>> >
>> >                   o
>> >
>> >                     Assess whether your package would benefit from
>> >                     fuzzing and is compatible with our OSS-Fuzz
>> >                     <https://google.github.io/oss-fuzz/>offering.
>> >
>> >                   o
>> >
>> >                     Assess whether your package would benefit from SLSA
>> >                     <https://slsa.dev/>and/or SBOM
>> >                     <
>> https://security.googleblog.com/2022/06/sbom-in-action-finding-vulnerabilities.html>,
>> software supply chain integrity (SSCI) technologies (for example, do your
>> users commonly build from source or consume binaries that you build?)
>> >
>> >               *
>> >
>> >                 If Warranted, We’ll Proceed with an In-Depth Review
>> >
>> >                   o
>> >
>> >                     Perform an targeted code review on your package to
>> >                     identify security vulnerabilities or recommended
>> >                     defense-in-depth fixes
>> >
>> >                   o
>> >
>> >                     If applicable, integrate your package with the OSS
>> >                     Fuzz offering and tune it to achieve maximum
>> coverage.
>> >
>> >                   o
>> >
>> >                     Improve eligible Scorecard check scores
>> >
>> >                   o
>> >
>> >                     Assist you with deploying SLSA and SBOM
>> >
>> >             Here’s what we’ll ask you to do:
>> >
>> >               *
>> >
>> >                 During the Initial Assessment
>> >
>> >                   o
>> >
>> >                     Meet with us and our partners in a “kick-off”
>> >                     meeting where we’ll ask you a number of questions
>> >                     about your package and how it works to build a
>> >                     shared threat model and scope the review
>> >
>> >               *
>> >
>> >                 During Our In-Depth Review
>> >
>> >                   o
>> >
>> >                     Assist us with onboarding your package to OSS-Fuzz
>> >                     if applicable, and you’ll be compensated for doing
>> so
>> >
>> >                   o
>> >
>> >                     Assist us with improving the Scorecard checks we
>> >                     recommend, and you’ll be compensated for each
>> >
>> >                   o
>> >
>> >                     Assist us with implementing SLSA and SBOM, if
>> >                     applicable, and you’ll be compensated for doing so
>> >
>> >               *
>> >
>> >                 After our In-Depth Review
>> >
>> >                   o
>> >
>> >                     Review the security vulnerabilities we find (if any)
>> >                     and our recommended defense-in-depth fixes (if any),
>> >                     and remediate each vulnerability within a reasonable
>> >                     timeframe (we’ll work this out with you when the
>> >                     time comes), and you’ll be compensated for each
>> >
>> >                   o
>> >
>> >                     If applicable, produce a new build that includes all
>> >                     of the improvements made during this process
>> >
>> >
>> >
>> >
>> >
>> >
>> >             On Mon, Oct 31, 2022 at 11:08 AM Amir Montazery
>> >             <amir at ostif.org <mailto:amir at ostif.org>> wrote:
>> >
>> >                 Awesome! Thank you for that Luca. Apologies for the lag,
>> >                 I was in Detroit last week for KubeCon meeting a number
>> >                 of projects we've done security engagements with and
>> >                 collecting feedback.
>> >
>> >                 I hope we can sync soon and discuss opportunities to
>> >                 help out with zeromq! Our org OSTIF (https://ostif.org/
>> >                 <https://ostif.org/>) has been advocating for providing
>> >                 free help to open source projects for almost 8 years
>> >                 now. We finally have some resources on our bench to help
>> >                 projects out with their security needs. I am finalizing
>> >                 what exactly that would look like in the next week!
>> >
>> >                 I'll have updates and resources for you soon. In the
>> >                 meantime feel free to reach out with any questions or
>> >                 feedback.
>> >
>> >                 Thank you,
>> >                 Amir
>> >
>> >                 On Wed, Oct 19, 2022 at 1:39 PM Luca Boccassi
>> >                 <luca.boccassi at gmail.com
>> >                 <mailto:luca.boccassi at gmail.com>> wrote:
>> >
>> >                     Thanks, existing fuzzers are the *_fuzzer.cpp files
>> >                     at:
>> >                     https://github.com/zeromq/libzmq/tree/master/tests
>> >                     <https://github.com/zeromq/libzmq/tree/master/tests
>> >
>> >
>> >                     On Wed, 19 Oct 2022 at 16:04, Amir Montazery
>> >                     <amir at ostif.org <mailto:amir at ostif.org>> wrote:
>> >
>> >                         Of course, that is understandable. Thank you all
>> >                         for maintaining such an important project
>> >                         despite your busy schedules! I hope we can find
>> >                         a way to help make your lives easier.
>> >
>> >                         What we can contribute is a security review by
>> >                         an experienced team to assess general design
>> >                         review; code quality, defensive programming, and
>> >                         best practices, as well as opportunities to
>> >                         improve fuzzing. Additional fuzzers can be built
>> >                         and the team can integrate the project to
>> >                         oss-fuzz for continuous monitoring of security
>> >                         issues. Based on our experience, when security
>> >                         teams have a line of contact with the project
>> >                         maintainers, they can be guided and better
>> >                         utilized to help.
>> >
>> >                         I'm fairly certain that we can provide new
>> >                         fuzzers/test cases and will get more specific
>> >                         details for you on that.
>> >
>> >                         Thank you!
>> >                         Amir
>> >
>> >
>> >
>> >
>> >
>> >                         On Tue, Oct 18, 2022 at 3:26 PM Luca Boccassi
>> >                         <luca.boccassi at gmail.com
>> >                         <mailto:luca.boccassi at gmail.com>> wrote:
>> >
>> >                             Hi,
>> >
>> >                             Thanks for the offer, but let's continue via
>> >                             mail please, we are all very busy as-is.
>> >
>> >                             What can you contribute, concretely? I have
>> >                             already set up fuzzing some time ago. Can
>> >                             you provide new fuzzers/test cases? If so
>> >                             that would be great, just send pull requests
>> >                             to the repository.
>> >
>> >                             On Wed, 12 Oct 2022 at 13:10, Amir Montazery
>> >                             <amir at ostif.org <mailto:amir at ostif.org>>
>> wrote:
>> >
>> >                                 We can help with whatever the project
>> >                                 needs. The intention is to connect the
>> >                                 project maintainer(s)/contributor(s)
>> >                                 with our security team (made up of
>> >                                 security experts and Google Open Source
>> >                                 Security engineers) to help where the
>> >                                 project needs it most. We can help with
>> >                                 bug fixes, security tooling i.e fuzzing
>> >                                 and developing fuzzers for the project,
>> >                                 CI/CD, and anything else that will help
>> >                                 zeromq be more secure!
>> >
>> >                                 Thankfully we have resources to help and
>> >                                 are able to compensate maintainer(s) who
>> >                                 participate in the engagement to show
>> >                                 our gratitude for your time and efforts.
>> >
>> >                                 I'd be happy to set up a quick
>> >                                 introductory call with anyone interested
>> >                                 in learning more.
>> >
>> >                                 Thank you and have a great day!
>> >                                 Amir
>> >
>> >                                 On Tue, Oct 11, 2022 at 10:05 PM Luca
>> >                                 Boccassi <luca.boccassi at gmail.com
>> >                                 <mailto:luca.boccassi at gmail.com>>
>> wrote:
>> >
>> >                                     Hi,
>> >
>> >                                     What kind of support are you able to
>> >                                     provide?
>> >
>> >                                     On Tue, 11 Oct 2022 at 14:30, Amir
>> >                                     Montazery <amir at ostif.org
>> >                                     <mailto:amir at ostif.org>> wrote:
>> >
>> >                                         Yes, I meant zeromq. Thank you
>> >                                         Arnaud! That is my mistake.
>> >
>> >                                         That’s great news, we have teams
>> >                                         ready to help. Would you be a
>> >                                         good person to coordinate that
>> >                                         with? If anyone else comes to
>> >                                         mind to include please let me
>> know!
>> >
>> >                                         I would be happy to set up a
>> >                                         quick call to meet and discuss
>> >                                         how we can best be of service to
>> >                                         the zeromq project.
>> >
>> >                                         Thank you,
>> >                                         Amir
>> >
>> >                                         On Tue, Oct 11, 2022 at 1:22 PM
>> >                                         Arnaud Loonstra
>> >                                         <arnaud at sphaero.org
>> >                                         <mailto:arnaud at sphaero.org>>
>> wrote:
>> >
>> >                                             Are you sure you are on the
>> >                                             right list? This the zeromq
>> >                                             list not dnsmasq.
>> >
>> >                                             We'd appreciate any help for
>> >                                             sure!
>> >
>> >                                             Rg,
>> >
>> >                                             Arnaud
>> >
>> >                                             On 07-10-2022 21:46, Amir
>> >                                             Montazery wrote:
>> >                                              > Hello dnsmasq community!
>> >                                             OSTIF would like to help
>> >                                             improve your security
>> >                                              > posture!
>> >                                              >
>> >                                              > I’m Amir from Open Source
>> >                                             Technology Improvement Fund,
>> >                                             Inc. OSTIF
>> >                                              > <https://ostif.org/
>> >                                             <https://ostif.org/>> is a
>> >                                             nonprofit solely dedicated
>> >                                             to helping open
>> >                                              > source projects improve
>> >                                             their security for free.
>> >                                              >
>> >                                              > We are working with a
>> >                                             team of Google engineers and
>> >                                             security experts to
>> >                                              > help important open
>> >                                             source projects like
>> >                                             dnsmasq. This includes
>> helping
>> >                                              > improve testing,
>> >                                             reviewing code, implementing
>> >                                             more security tools, and
>> >                                              > improving supply chain
>> >                                             security.
>> >                                              >
>> >                                              > Additionally, we
>> >                                             understand the time
>> >                                             constraints that open source
>> >                                              > contributors have, and
>> >                                             would like to compensate
>> >                                             contributors for their
>> >                                              > time working with us.
>> >                                              >
>> >                                              > We would love to work
>> >                                             with you! Please let me know
>> >                                             who we should be
>> >                                              > talking to and how we can
>> >                                             help!
>> >                                              >
>> >                                              > Thank you in advance for
>> >                                             your consideration!
>> >                                              >
>> >                                              > Best,
>> >                                              >
>> >                                              > Amir
>> >                                              >
>> >                                              >
>> >                                              > --
>> >                                              > *Amir Montazery*
>> >                                              > Managing Director
>> >                                              > Open Source Technology
>> >                                             Improvement Fund
>> >                                              > https://ostif.org/
>> >                                             <https://ostif.org/>
>> >                                             <https://ostif.org/
>> >                                             <https://ostif.org/>>
>> >                                              >
>> >                                             https://calendly.com/ostif
>> >                                             <https://calendly.com/ostif
>> >
>> >                                             <https://calendly.com/ostif
>> >                                             <https://calendly.com/ostif
>> >>
>> >                                              >
>> >                                              >
>> >                                              >
>> >
>>  _______________________________________________
>> >                                              > zeromq-dev mailing list
>> >                                              >
>> >                                             zeromq-dev at lists.zeromq.org
>> >                                             <mailto:
>> zeromq-dev at lists.zeromq.org>
>> >                                              >
>> >
>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev <
>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev>
>> >
>>  _______________________________________________
>> >                                             zeromq-dev mailing list
>> >                                             zeromq-dev at lists.zeromq.org
>> >                                             <mailto:
>> zeromq-dev at lists.zeromq.org>
>> >
>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev <
>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev>
>> >
>> >                                         --
>> >                                         *Amir Montazery*
>> >                                         Managing Director
>> >                                         Open Source Technology
>> >                                         Improvement Fund
>> >                                         https://ostif.org/
>> >                                         <https://ostif.org/>
>> >                                         https://calendly.com/ostif
>> >                                         <https://calendly.com/ostif>
>> >
>> >
>>  _______________________________________________
>> >                                         zeromq-dev mailing list
>> >                                         zeromq-dev at lists.zeromq.org
>> >                                         <mailto:
>> zeromq-dev at lists.zeromq.org>
>> >
>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev <
>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev>
>> >
>> >
>>  _______________________________________________
>> >                                     zeromq-dev mailing list
>> >                                     zeromq-dev at lists.zeromq.org
>> >                                     <mailto:zeromq-dev at lists.zeromq.org
>> >
>> >
>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev <
>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev>
>> >
>> >
>> >
>> >                                 --
>> >                                 *Amir Montazery*
>> >                                 Managing Director
>> >                                 Open Source Technology Improvement Fund
>> >                                 https://ostif.org/ <https://ostif.org/>
>> >                                 https://calendly.com/ostif
>> >                                 <https://calendly.com/ostif>
>> >
>> >
>>  _______________________________________________
>> >                                 zeromq-dev mailing list
>> >                                 zeromq-dev at lists.zeromq.org
>> >                                 <mailto:zeromq-dev at lists.zeromq.org>
>> >
>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev <
>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev>
>> >
>> >
>>  _______________________________________________
>> >                             zeromq-dev mailing list
>> >                             zeromq-dev at lists.zeromq.org
>> >                             <mailto:zeromq-dev at lists.zeromq.org>
>> >
>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev <
>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev>
>> >
>> >
>> >
>> >                         --
>> >                         *Amir Montazery*
>> >                         Managing Director
>> >                         Open Source Technology Improvement Fund
>> >                         https://ostif.org/ <https://ostif.org/>
>> >                         https://calendly.com/ostif
>> >                         <https://calendly.com/ostif>
>> >
>> >                         _______________________________________________
>> >                         zeromq-dev mailing list
>> >                         zeromq-dev at lists.zeromq.org
>> >                         <mailto:zeromq-dev at lists.zeromq.org>
>> >
>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev <
>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev>
>> >
>> >                     _______________________________________________
>> >                     zeromq-dev mailing list
>> >                     zeromq-dev at lists.zeromq.org
>> >                     <mailto:zeromq-dev at lists.zeromq.org>
>> >
>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev
>> >                     <
>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev>
>> >
>> >
>> >
>> >                 --
>> >                 *Amir Montazery*
>> >                 Managing Director
>> >                 Open Source Technology Improvement Fund
>> >                 https://ostif.org/ <https://ostif.org/>
>> >                 https://calendly.com/ostif <https://calendly.com/ostif>
>> >
>> >
>> >
>> >             --
>> >             *Amir Montazery*
>> >             Managing Director
>> >             Open Source Technology Improvement Fund
>> >             https://ostif.org/ <https://ostif.org/>
>> >             https://calendly.com/ostif <https://calendly.com/ostif>
>> >
>> >             _______________________________________________
>> >             zeromq-dev mailing list
>> >             zeromq-dev at lists.zeromq.org <mailto:
>> zeromq-dev at lists.zeromq.org>
>> >             https://lists.zeromq.org/mailman/listinfo/zeromq-dev
>> >             <https://lists.zeromq.org/mailman/listinfo/zeromq-dev>
>> >
>> >         _______________________________________________
>> >         zeromq-dev mailing list
>> >         zeromq-dev at lists.zeromq.org <mailto:zeromq-dev at lists.zeromq.org
>> >
>> >         https://lists.zeromq.org/mailman/listinfo/zeromq-dev
>> >         <https://lists.zeromq.org/mailman/listinfo/zeromq-dev>
>> >
>> >
>> >
>> >     --
>> >     *Amir Montazery*
>> >     Managing Director
>> >     Open Source Technology Improvement Fund
>> >     https://ostif.org/ <https://ostif.org/>
>> >     https://calendly.com/ostif <https://calendly.com/ostif>
>> >
>> >     _______________________________________________
>> >     zeromq-dev mailing list
>> >     zeromq-dev at lists.zeromq.org <mailto:zeromq-dev at lists.zeromq.org>
>> >     https://lists.zeromq.org/mailman/listinfo/zeromq-dev
>> >     <https://lists.zeromq.org/mailman/listinfo/zeromq-dev>
>> >
>> >
>> > _______________________________________________
>> > zeromq-dev mailing list
>> > zeromq-dev at lists.zeromq.org
>> > https://lists.zeromq.org/mailman/listinfo/zeromq-dev
>> _______________________________________________
>> zeromq-dev mailing list
>> zeromq-dev at lists.zeromq.org
>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev
>>
>
>
> --
> *Amir Montazery*
> Managing Director
> Open Source Technology Improvement Fund
> https://ostif.org/
> https://calendly.com/ostif
>
> _______________________________________________
> zeromq-dev mailing list
> zeromq-dev at lists.zeromq.org
> https://lists.zeromq.org/mailman/listinfo/zeromq-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.zeromq.org/pipermail/zeromq-dev/attachments/20221117/82ec0e55/attachment.htm>


More information about the zeromq-dev mailing list