[zeromq-dev] Free security help from Google and Open Source Technology Improvement Fund, Inc

Amir Montazery amir at ostif.org
Tue Nov 22 19:06:31 CET 2022


Great! Thank you. I started an email thread to schedule the meeting. Feel
free to add any other maintainers interested.

Lmk if there are any questions in the meantime.

Thank you,
Amir

On Thu, Nov 17, 2022 at 10:57 AM Luca Boccassi <luca.boccassi at gmail.com>
wrote:

> Sounds good for me, thank you
>
> On Thu, 17 Nov 2022 at 16:36, Amir Montazery <amir at ostif.org> wrote:
>
>> Thank you! How does 3pm UTC on 6th December look?
>>
>> Thanks again,
>> Amir
>>
>> On Wed, Nov 16, 2022 at 1:23 PM Arnaud Loonstra <arnaud at sphaero.org>
>> wrote:
>>
>>> Before 4pm UTC suits me as well, both days. I prefer the 6th.
>>>
>>> Rg,
>>>
>>> Arnaud
>>>
>>> On 16-11-2022 20:12, Luca Boccassi wrote:
>>> > For myself, before 4pm or after 7.30pm (UTC) both days
>>> >
>>> > On Wed, 16 Nov 2022 at 18:47, Amir Montazery <amir at ostif.org
>>> > <mailto:amir at ostif.org>> wrote:
>>> >
>>> >     Thank you! Many of us are in european timezones as well (I myself
>>> am
>>> >     based in Chicago, USA). Is there a time that works best on Monday,
>>> >     December 5th or Tuesday, December 6th?
>>> >
>>> >     On Tue, Nov 15, 2022 at 5:58 PM Luca Boccassi
>>> >     <luca.boccassi at gmail.com <mailto:luca.boccassi at gmail.com>> wrote:
>>> >
>>> >         Sounds great, thank you - most of us are in the european
>>> >         timezones, let us know when you have a date/time in mind
>>> >
>>> >         On Tue, 15 Nov 2022 at 18:02, Amir Montazery <amir at ostif.org
>>> >         <mailto:amir at ostif.org>> wrote:
>>> >
>>> >             Thank you to everyone who has helped so far! What we can
>>> >             concretely offer is below under "What you can expect". We
>>> >             totally understand you maintainers are busy so the process
>>> >             is designed to be easy for those who participate. We also
>>> >             have a budget to compensate maintainers who help out
>>> >             directly (that can go to a nonprofit of the project's
>>> choice
>>> >             as well).
>>> >
>>> >             Our first team of security experts is ready to meet the
>>> week
>>> >             of December 5th if you'd like to participate.
>>> >
>>> >             p.s The OSTIF team plans to be in Brussels for fosdem so we
>>> >             hope to see some of you there!
>>> >
>>> >             Thank you and let me know who would like to participate.
>>> >
>>> >             - Amir
>>> >
>>> >
>>> >             What you can expect
>>> >
>>> >             Here are what we’re going to do (and need your help with)
>>> in
>>> >             a nutshell:
>>> >
>>> >               *
>>> >
>>> >                 We’ll Perform an Initial Assessment
>>> >
>>> >                   o
>>> >
>>> >                     Meet with you to better understand and ask
>>> questions
>>> >                     about your package – its architecture, design
>>> >                     choices, known issues, and so on
>>> >
>>> >                   o
>>> >
>>> >                     Install Scorecard
>>> >                     <https://github.com/ossf/scorecard#overview>if you
>>> >                     don’t already have it – this evaluates your
>>> >                     environment against a set of SDLC best practices
>>> >                     (see https://securityscorecards.dev/
>>> >                     <https://securityscorecards.dev/>for more info) –
>>> >                     and identify opportunities to improve low-scoring
>>> checks
>>> >
>>> >                   o
>>> >
>>> >                     Perform a quick code review, get your package to
>>> >                     build, check for quality and best practices
>>> >
>>> >                   o
>>> >
>>> >                     Assess whether your package would benefit from
>>> >                     fuzzing and is compatible with our OSS-Fuzz
>>> >                     <https://google.github.io/oss-fuzz/>offering.
>>> >
>>> >                   o
>>> >
>>> >                     Assess whether your package would benefit from SLSA
>>> >                     <https://slsa.dev/>and/or SBOM
>>> >                     <
>>> https://security.googleblog.com/2022/06/sbom-in-action-finding-vulnerabilities.html>,
>>> software supply chain integrity (SSCI) technologies (for example, do your
>>> users commonly build from source or consume binaries that you build?)
>>> >
>>> >               *
>>> >
>>> >                 If Warranted, We’ll Proceed with an In-Depth Review
>>> >
>>> >                   o
>>> >
>>> >                     Perform an targeted code review on your package to
>>> >                     identify security vulnerabilities or recommended
>>> >                     defense-in-depth fixes
>>> >
>>> >                   o
>>> >
>>> >                     If applicable, integrate your package with the OSS
>>> >                     Fuzz offering and tune it to achieve maximum
>>> coverage.
>>> >
>>> >                   o
>>> >
>>> >                     Improve eligible Scorecard check scores
>>> >
>>> >                   o
>>> >
>>> >                     Assist you with deploying SLSA and SBOM
>>> >
>>> >             Here’s what we’ll ask you to do:
>>> >
>>> >               *
>>> >
>>> >                 During the Initial Assessment
>>> >
>>> >                   o
>>> >
>>> >                     Meet with us and our partners in a “kick-off”
>>> >                     meeting where we’ll ask you a number of questions
>>> >                     about your package and how it works to build a
>>> >                     shared threat model and scope the review
>>> >
>>> >               *
>>> >
>>> >                 During Our In-Depth Review
>>> >
>>> >                   o
>>> >
>>> >                     Assist us with onboarding your package to OSS-Fuzz
>>> >                     if applicable, and you’ll be compensated for doing
>>> so
>>> >
>>> >                   o
>>> >
>>> >                     Assist us with improving the Scorecard checks we
>>> >                     recommend, and you’ll be compensated for each
>>> >
>>> >                   o
>>> >
>>> >                     Assist us with implementing SLSA and SBOM, if
>>> >                     applicable, and you’ll be compensated for doing so
>>> >
>>> >               *
>>> >
>>> >                 After our In-Depth Review
>>> >
>>> >                   o
>>> >
>>> >                     Review the security vulnerabilities we find (if
>>> any)
>>> >                     and our recommended defense-in-depth fixes (if
>>> any),
>>> >                     and remediate each vulnerability within a
>>> reasonable
>>> >                     timeframe (we’ll work this out with you when the
>>> >                     time comes), and you’ll be compensated for each
>>> >
>>> >                   o
>>> >
>>> >                     If applicable, produce a new build that includes
>>> all
>>> >                     of the improvements made during this process
>>> >
>>> >
>>> >
>>> >
>>> >
>>> >
>>> >             On Mon, Oct 31, 2022 at 11:08 AM Amir Montazery
>>> >             <amir at ostif.org <mailto:amir at ostif.org>> wrote:
>>> >
>>> >                 Awesome! Thank you for that Luca. Apologies for the
>>> lag,
>>> >                 I was in Detroit last week for KubeCon meeting a number
>>> >                 of projects we've done security engagements with and
>>> >                 collecting feedback.
>>> >
>>> >                 I hope we can sync soon and discuss opportunities to
>>> >                 help out with zeromq! Our org OSTIF (
>>> https://ostif.org/
>>> >                 <https://ostif.org/>) has been advocating for
>>> providing
>>> >                 free help to open source projects for almost 8 years
>>> >                 now. We finally have some resources on our bench to
>>> help
>>> >                 projects out with their security needs. I am finalizing
>>> >                 what exactly that would look like in the next week!
>>> >
>>> >                 I'll have updates and resources for you soon. In the
>>> >                 meantime feel free to reach out with any questions or
>>> >                 feedback.
>>> >
>>> >                 Thank you,
>>> >                 Amir
>>> >
>>> >                 On Wed, Oct 19, 2022 at 1:39 PM Luca Boccassi
>>> >                 <luca.boccassi at gmail.com
>>> >                 <mailto:luca.boccassi at gmail.com>> wrote:
>>> >
>>> >                     Thanks, existing fuzzers are the *_fuzzer.cpp files
>>> >                     at:
>>> >                     https://github.com/zeromq/libzmq/tree/master/tests
>>> >                     <
>>> https://github.com/zeromq/libzmq/tree/master/tests>
>>> >
>>> >                     On Wed, 19 Oct 2022 at 16:04, Amir Montazery
>>> >                     <amir at ostif.org <mailto:amir at ostif.org>> wrote:
>>> >
>>> >                         Of course, that is understandable. Thank you
>>> all
>>> >                         for maintaining such an important project
>>> >                         despite your busy schedules! I hope we can find
>>> >                         a way to help make your lives easier.
>>> >
>>> >                         What we can contribute is a security review by
>>> >                         an experienced team to assess general design
>>> >                         review; code quality, defensive programming,
>>> and
>>> >                         best practices, as well as opportunities to
>>> >                         improve fuzzing. Additional fuzzers can be
>>> built
>>> >                         and the team can integrate the project to
>>> >                         oss-fuzz for continuous monitoring of security
>>> >                         issues. Based on our experience, when security
>>> >                         teams have a line of contact with the project
>>> >                         maintainers, they can be guided and better
>>> >                         utilized to help.
>>> >
>>> >                         I'm fairly certain that we can provide new
>>> >                         fuzzers/test cases and will get more specific
>>> >                         details for you on that.
>>> >
>>> >                         Thank you!
>>> >                         Amir
>>> >
>>> >
>>> >
>>> >
>>> >
>>> >                         On Tue, Oct 18, 2022 at 3:26 PM Luca Boccassi
>>> >                         <luca.boccassi at gmail.com
>>> >                         <mailto:luca.boccassi at gmail.com>> wrote:
>>> >
>>> >                             Hi,
>>> >
>>> >                             Thanks for the offer, but let's continue
>>> via
>>> >                             mail please, we are all very busy as-is.
>>> >
>>> >                             What can you contribute, concretely? I have
>>> >                             already set up fuzzing some time ago. Can
>>> >                             you provide new fuzzers/test cases? If so
>>> >                             that would be great, just send pull
>>> requests
>>> >                             to the repository.
>>> >
>>> >                             On Wed, 12 Oct 2022 at 13:10, Amir
>>> Montazery
>>> >                             <amir at ostif.org <mailto:amir at ostif.org>>
>>> wrote:
>>> >
>>> >                                 We can help with whatever the project
>>> >                                 needs. The intention is to connect the
>>> >                                 project maintainer(s)/contributor(s)
>>> >                                 with our security team (made up of
>>> >                                 security experts and Google Open Source
>>> >                                 Security engineers) to help where the
>>> >                                 project needs it most. We can help with
>>> >                                 bug fixes, security tooling i.e fuzzing
>>> >                                 and developing fuzzers for the project,
>>> >                                 CI/CD, and anything else that will help
>>> >                                 zeromq be more secure!
>>> >
>>> >                                 Thankfully we have resources to help
>>> and
>>> >                                 are able to compensate maintainer(s)
>>> who
>>> >                                 participate in the engagement to show
>>> >                                 our gratitude for your time and
>>> efforts.
>>> >
>>> >                                 I'd be happy to set up a quick
>>> >                                 introductory call with anyone
>>> interested
>>> >                                 in learning more.
>>> >
>>> >                                 Thank you and have a great day!
>>> >                                 Amir
>>> >
>>> >                                 On Tue, Oct 11, 2022 at 10:05 PM Luca
>>> >                                 Boccassi <luca.boccassi at gmail.com
>>> >                                 <mailto:luca.boccassi at gmail.com>>
>>> wrote:
>>> >
>>> >                                     Hi,
>>> >
>>> >                                     What kind of support are you able
>>> to
>>> >                                     provide?
>>> >
>>> >                                     On Tue, 11 Oct 2022 at 14:30, Amir
>>> >                                     Montazery <amir at ostif.org
>>> >                                     <mailto:amir at ostif.org>> wrote:
>>> >
>>> >                                         Yes, I meant zeromq. Thank you
>>> >                                         Arnaud! That is my mistake.
>>> >
>>> >                                         That’s great news, we have
>>> teams
>>> >                                         ready to help. Would you be a
>>> >                                         good person to coordinate that
>>> >                                         with? If anyone else comes to
>>> >                                         mind to include please let me
>>> know!
>>> >
>>> >                                         I would be happy to set up a
>>> >                                         quick call to meet and discuss
>>> >                                         how we can best be of service
>>> to
>>> >                                         the zeromq project.
>>> >
>>> >                                         Thank you,
>>> >                                         Amir
>>> >
>>> >                                         On Tue, Oct 11, 2022 at 1:22 PM
>>> >                                         Arnaud Loonstra
>>> >                                         <arnaud at sphaero.org
>>> >                                         <mailto:arnaud at sphaero.org>>
>>> wrote:
>>> >
>>> >                                             Are you sure you are on the
>>> >                                             right list? This the zeromq
>>> >                                             list not dnsmasq.
>>> >
>>> >                                             We'd appreciate any help
>>> for
>>> >                                             sure!
>>> >
>>> >                                             Rg,
>>> >
>>> >                                             Arnaud
>>> >
>>> >                                             On 07-10-2022 21:46, Amir
>>> >                                             Montazery wrote:
>>> >                                              > Hello dnsmasq community!
>>> >                                             OSTIF would like to help
>>> >                                             improve your security
>>> >                                              > posture!
>>> >                                              >
>>> >                                              > I’m Amir from Open
>>> Source
>>> >                                             Technology Improvement
>>> Fund,
>>> >                                             Inc. OSTIF
>>> >                                              > <https://ostif.org/
>>> >                                             <https://ostif.org/>> is a
>>> >                                             nonprofit solely dedicated
>>> >                                             to helping open
>>> >                                              > source projects improve
>>> >                                             their security for free.
>>> >                                              >
>>> >                                              > We are working with a
>>> >                                             team of Google engineers
>>> and
>>> >                                             security experts to
>>> >                                              > help important open
>>> >                                             source projects like
>>> >                                             dnsmasq. This includes
>>> helping
>>> >                                              > improve testing,
>>> >                                             reviewing code,
>>> implementing
>>> >                                             more security tools, and
>>> >                                              > improving supply chain
>>> >                                             security.
>>> >                                              >
>>> >                                              > Additionally, we
>>> >                                             understand the time
>>> >                                             constraints that open
>>> source
>>> >                                              > contributors have, and
>>> >                                             would like to compensate
>>> >                                             contributors for their
>>> >                                              > time working with us.
>>> >                                              >
>>> >                                              > We would love to work
>>> >                                             with you! Please let me
>>> know
>>> >                                             who we should be
>>> >                                              > talking to and how we
>>> can
>>> >                                             help!
>>> >                                              >
>>> >                                              > Thank you in advance for
>>> >                                             your consideration!
>>> >                                              >
>>> >                                              > Best,
>>> >                                              >
>>> >                                              > Amir
>>> >                                              >
>>> >                                              >
>>> >                                              > --
>>> >                                              > *Amir Montazery*
>>> >                                              > Managing Director
>>> >                                              > Open Source Technology
>>> >                                             Improvement Fund
>>> >                                              > https://ostif.org/
>>> >                                             <https://ostif.org/>
>>> >                                             <https://ostif.org/
>>> >                                             <https://ostif.org/>>
>>> >                                              >
>>> >                                             https://calendly.com/ostif
>>> >                                             <
>>> https://calendly.com/ostif>
>>> >                                             <
>>> https://calendly.com/ostif
>>> >                                             <
>>> https://calendly.com/ostif>>
>>> >                                              >
>>> >                                              >
>>> >                                              >
>>> >
>>>  _______________________________________________
>>> >                                              > zeromq-dev mailing list
>>> >                                              >
>>> >
>>> zeromq-dev at lists.zeromq.org
>>> >                                             <mailto:
>>> zeromq-dev at lists.zeromq.org>
>>> >                                              >
>>> >
>>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev <
>>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev>
>>> >
>>>  _______________________________________________
>>> >                                             zeromq-dev mailing list
>>> >
>>> zeromq-dev at lists.zeromq.org
>>> >                                             <mailto:
>>> zeromq-dev at lists.zeromq.org>
>>> >
>>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev <
>>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev>
>>> >
>>> >                                         --
>>> >                                         *Amir Montazery*
>>> >                                         Managing Director
>>> >                                         Open Source Technology
>>> >                                         Improvement Fund
>>> >                                         https://ostif.org/
>>> >                                         <https://ostif.org/>
>>> >                                         https://calendly.com/ostif
>>> >                                         <https://calendly.com/ostif>
>>> >
>>> >
>>>  _______________________________________________
>>> >                                         zeromq-dev mailing list
>>> >                                         zeromq-dev at lists.zeromq.org
>>> >                                         <mailto:
>>> zeromq-dev at lists.zeromq.org>
>>> >
>>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev <
>>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev>
>>> >
>>> >
>>>  _______________________________________________
>>> >                                     zeromq-dev mailing list
>>> >                                     zeromq-dev at lists.zeromq.org
>>> >                                     <mailto:
>>> zeromq-dev at lists.zeromq.org>
>>> >
>>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev <
>>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev>
>>> >
>>> >
>>> >
>>> >                                 --
>>> >                                 *Amir Montazery*
>>> >                                 Managing Director
>>> >                                 Open Source Technology Improvement Fund
>>> >                                 https://ostif.org/ <https://ostif.org/
>>> >
>>> >                                 https://calendly.com/ostif
>>> >                                 <https://calendly.com/ostif>
>>> >
>>> >
>>>  _______________________________________________
>>> >                                 zeromq-dev mailing list
>>> >                                 zeromq-dev at lists.zeromq.org
>>> >                                 <mailto:zeromq-dev at lists.zeromq.org>
>>> >
>>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev <
>>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev>
>>> >
>>> >
>>>  _______________________________________________
>>> >                             zeromq-dev mailing list
>>> >                             zeromq-dev at lists.zeromq.org
>>> >                             <mailto:zeromq-dev at lists.zeromq.org>
>>> >
>>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev <
>>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev>
>>> >
>>> >
>>> >
>>> >                         --
>>> >                         *Amir Montazery*
>>> >                         Managing Director
>>> >                         Open Source Technology Improvement Fund
>>> >                         https://ostif.org/ <https://ostif.org/>
>>> >                         https://calendly.com/ostif
>>> >                         <https://calendly.com/ostif>
>>> >
>>> >                         _______________________________________________
>>> >                         zeromq-dev mailing list
>>> >                         zeromq-dev at lists.zeromq.org
>>> >                         <mailto:zeromq-dev at lists.zeromq.org>
>>> >
>>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev <
>>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev>
>>> >
>>> >                     _______________________________________________
>>> >                     zeromq-dev mailing list
>>> >                     zeromq-dev at lists.zeromq.org
>>> >                     <mailto:zeromq-dev at lists.zeromq.org>
>>> >
>>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev
>>> >                     <
>>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev>
>>> >
>>> >
>>> >
>>> >                 --
>>> >                 *Amir Montazery*
>>> >                 Managing Director
>>> >                 Open Source Technology Improvement Fund
>>> >                 https://ostif.org/ <https://ostif.org/>
>>> >                 https://calendly.com/ostif <https://calendly.com/ostif
>>> >
>>> >
>>> >
>>> >
>>> >             --
>>> >             *Amir Montazery*
>>> >             Managing Director
>>> >             Open Source Technology Improvement Fund
>>> >             https://ostif.org/ <https://ostif.org/>
>>> >             https://calendly.com/ostif <https://calendly.com/ostif>
>>> >
>>> >             _______________________________________________
>>> >             zeromq-dev mailing list
>>> >             zeromq-dev at lists.zeromq.org <mailto:
>>> zeromq-dev at lists.zeromq.org>
>>> >             https://lists.zeromq.org/mailman/listinfo/zeromq-dev
>>> >             <https://lists.zeromq.org/mailman/listinfo/zeromq-dev>
>>> >
>>> >         _______________________________________________
>>> >         zeromq-dev mailing list
>>> >         zeromq-dev at lists.zeromq.org <mailto:
>>> zeromq-dev at lists.zeromq.org>
>>> >         https://lists.zeromq.org/mailman/listinfo/zeromq-dev
>>> >         <https://lists.zeromq.org/mailman/listinfo/zeromq-dev>
>>> >
>>> >
>>> >
>>> >     --
>>> >     *Amir Montazery*
>>> >     Managing Director
>>> >     Open Source Technology Improvement Fund
>>> >     https://ostif.org/ <https://ostif.org/>
>>> >     https://calendly.com/ostif <https://calendly.com/ostif>
>>> >
>>> >     _______________________________________________
>>> >     zeromq-dev mailing list
>>> >     zeromq-dev at lists.zeromq.org <mailto:zeromq-dev at lists.zeromq.org>
>>> >     https://lists.zeromq.org/mailman/listinfo/zeromq-dev
>>> >     <https://lists.zeromq.org/mailman/listinfo/zeromq-dev>
>>> >
>>> >
>>> > _______________________________________________
>>> > zeromq-dev mailing list
>>> > zeromq-dev at lists.zeromq.org
>>> > https://lists.zeromq.org/mailman/listinfo/zeromq-dev
>>> _______________________________________________
>>> zeromq-dev mailing list
>>> zeromq-dev at lists.zeromq.org
>>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev
>>>
>>
>>
>> --
>> *Amir Montazery*
>> Managing Director
>> Open Source Technology Improvement Fund
>> https://ostif.org/
>> https://calendly.com/ostif
>>
>> _______________________________________________
>> zeromq-dev mailing list
>> zeromq-dev at lists.zeromq.org
>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev
>>
> _______________________________________________
> zeromq-dev mailing list
> zeromq-dev at lists.zeromq.org
> https://lists.zeromq.org/mailman/listinfo/zeromq-dev
>


-- 
*Amir Montazery*
Managing Director
Open Source Technology Improvement Fund
https://ostif.org/
https://calendly.com/ostif
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.zeromq.org/pipermail/zeromq-dev/attachments/20221122/bd5e25e3/attachment.htm>


More information about the zeromq-dev mailing list