Thank you to everyone who has helped so far! What we can concretely offer
is below under "What you can expect". We totally understand you maintainers
are busy so the process is designed to be easy for those who participate.
We also have a budget to compensate maintainers who help out directly (that
can go to a nonprofit of the project's choice as well).
Our first team of security experts is ready to meet the week of December
5th if you'd like to participate.
p.s The OSTIF team plans to be in Brussels for fosdem so we hope to see
some of you there!
Thank you and let me know who would like to participate.
- Amir
What you can expect
Here are what we’re going to do (and need your help with) in a nutshell:
-
We’ll Perform an Initial Assessment
-
Meet with you to better understand and ask questions about your
package – its architecture, design choices, known issues, and so on
-
Install Scorecard <https://github.com/ossf/scorecard#overview> if you
don’t already have it – this evaluates your environment against a set of
SDLC best practices (see https://securityscorecards.dev/ for more
info) – and identify opportunities to improve low-scoring checks
-
Perform a quick code review, get your package to build, check for
quality and best practices
-
Assess whether your package would benefit from fuzzing and is
compatible with our OSS-Fuzz <https://google.github.io/oss-fuzz/>
offering.
-
Assess whether your package would benefit from SLSA
<https://slsa.dev/> and/or SBOM
<https://security.googleblog.com/2022/06/sbom-in-action-finding-vulnerabilities.html>,
software supply chain integrity (SSCI) technologies (for example, do your
users commonly build from source or consume binaries that you build?)
-
If Warranted, We’ll Proceed with an In-Depth Review
-
Perform an targeted code review on your package to identify security
vulnerabilities or recommended defense-in-depth fixes
-
If applicable, integrate your package with the OSS Fuzz offering and
tune it to achieve maximum coverage.
-
Improve eligible Scorecard check scores
-
Assist you with deploying SLSA and SBOM
Here’s what we’ll ask you to do:
-
During the Initial Assessment
-
Meet with us and our partners in a “kick-off” meeting where we’ll ask
you a number of questions about your package and how it works to build a
shared threat model and scope the review
-
During Our In-Depth Review
-
Assist us with onboarding your package to OSS-Fuzz if applicable, and
you’ll be compensated for doing so
-
Assist us with improving the Scorecard checks we recommend, and
you’ll be compensated for each
-
Assist us with implementing SLSA and SBOM, if applicable, and you’ll
be compensated for doing so
-
After our In-Depth Review
-
Review the security vulnerabilities we find (if any) and our
recommended defense-in-depth fixes (if any), and remediate each
vulnerability within a reasonable timeframe (we’ll work this out with you
when the time comes), and you’ll be compensated for each
-
If applicable, produce a new build that includes all of the
improvements made during this process
On Mon, Oct 31, 2022 at 11:08 AM Amir Montazery <a...@ostif.org> wrote:
> Awesome! Thank you for that Luca. Apologies for the lag, I was in Detroit
> last week for KubeCon meeting a number of projects we've done security
> engagements with and collecting feedback.
>
> I hope we can sync soon and discuss opportunities to help out with zeromq!
> Our org OSTIF (https://ostif.org/) has been advocating for providing free
> help to open source projects for almost 8 years now. We finally have some
> resources on our bench to help projects out with their security needs. I am
> finalizing what exactly that would look like in the next week!
>
> I'll have updates and resources for you soon. In the meantime feel free to
> reach out with any questions or feedback.
>
> Thank you,
> Amir
>
> On Wed, Oct 19, 2022 at 1:39 PM Luca Boccassi <luca.bocca...@gmail.com>
> wrote:
>
>> Thanks, existing fuzzers are the *_fuzzer.cpp files at:
>> https://github.com/zeromq/libzmq/tree/master/tests
>>
>> On Wed, 19 Oct 2022 at 16:04, Amir Montazery <a...@ostif.org> wrote:
>>
>>> Of course, that is understandable. Thank you all for maintaining such an
>>> important project despite your busy schedules! I hope we can find a way to
>>> help make your lives easier.
>>>
>>> What we can contribute is a security review by an experienced team to
>>> assess general design review; code quality, defensive programming, and best
>>> practices, as well as opportunities to improve fuzzing. Additional fuzzers
>>> can be built and the team can integrate the project to oss-fuzz for
>>> continuous monitoring of security issues. Based on our experience, when
>>> security teams have a line of contact with the project maintainers, they
>>> can be guided and better utilized to help.
>>>
>>> I'm fairly certain that we can provide new fuzzers/test cases and will
>>> get more specific details for you on that.
>>>
>>> Thank you!
>>> Amir
>>>
>>>
>>>
>>>
>>>
>>> On Tue, Oct 18, 2022 at 3:26 PM Luca Boccassi <luca.bocca...@gmail.com>
>>> wrote:
>>>
>>>> Hi,
>>>>
>>>> Thanks for the offer, but let's continue via mail please, we are all
>>>> very busy as-is.
>>>>
>>>> What can you contribute, concretely? I have already set up fuzzing some
>>>> time ago. Can you provide new fuzzers/test cases? If so that would be
>>>> great, just send pull requests to the repository.
>>>>
>>>> On Wed, 12 Oct 2022 at 13:10, Amir Montazery <a...@ostif.org> wrote:
>>>>
>>>>> We can help with whatever the project needs. The intention is to
>>>>> connect the project maintainer(s)/contributor(s) with our security team
>>>>> (made up of security experts and Google Open Source Security engineers) to
>>>>> help where the project needs it most. We can help with bug fixes, security
>>>>> tooling i.e fuzzing and developing fuzzers for the project, CI/CD, and
>>>>> anything else that will help zeromq be more secure!
>>>>>
>>>>> Thankfully we have resources to help and are able to compensate
>>>>> maintainer(s) who participate in the engagement to show our gratitude for
>>>>> your time and efforts.
>>>>>
>>>>> I'd be happy to set up a quick introductory call with anyone
>>>>> interested in learning more.
>>>>>
>>>>> Thank you and have a great day!
>>>>> Amir
>>>>>
>>>>> On Tue, Oct 11, 2022 at 10:05 PM Luca Boccassi <
>>>>> luca.bocca...@gmail.com> wrote:
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> What kind of support are you able to provide?
>>>>>>
>>>>>> On Tue, 11 Oct 2022 at 14:30, Amir Montazery <a...@ostif.org> wrote:
>>>>>>
>>>>>>> Yes, I meant zeromq. Thank you Arnaud! That is my mistake.
>>>>>>>
>>>>>>> That’s great news, we have teams ready to help. Would you be a good
>>>>>>> person to coordinate that with? If anyone else comes to mind to include
>>>>>>> please let me know!
>>>>>>>
>>>>>>> I would be happy to set up a quick call to meet and discuss how we
>>>>>>> can best be of service to the zeromq project.
>>>>>>>
>>>>>>> Thank you,
>>>>>>> Amir
>>>>>>>
>>>>>>> On Tue, Oct 11, 2022 at 1:22 PM Arnaud Loonstra <arn...@sphaero.org>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> Are you sure you are on the right list? This the zeromq list not
>>>>>>>> dnsmasq.
>>>>>>>>
>>>>>>>> We'd appreciate any help for sure!
>>>>>>>>
>>>>>>>> Rg,
>>>>>>>>
>>>>>>>> Arnaud
>>>>>>>>
>>>>>>>> On 07-10-2022 21:46, Amir Montazery wrote:
>>>>>>>> > Hello dnsmasq community! OSTIF would like to help improve your
>>>>>>>> security
>>>>>>>> > posture!
>>>>>>>> >
>>>>>>>> > I’m Amir from Open Source Technology Improvement Fund, Inc. OSTIF
>>>>>>>> > <https://ostif.org/> is a nonprofit solely dedicated to helping
>>>>>>>> open
>>>>>>>> > source projects improve their security for free.
>>>>>>>> >
>>>>>>>> > We are working with a team of Google engineers and security
>>>>>>>> experts to
>>>>>>>> > help important open source projects like dnsmasq. This includes
>>>>>>>> helping
>>>>>>>> > improve testing, reviewing code, implementing more security
>>>>>>>> tools, and
>>>>>>>> > improving supply chain security.
>>>>>>>> >
>>>>>>>> > Additionally, we understand the time constraints that open source
>>>>>>>> > contributors have, and would like to compensate contributors for
>>>>>>>> their
>>>>>>>> > time working with us.
>>>>>>>> >
>>>>>>>> > We would love to work with you! Please let me know who we should
>>>>>>>> be
>>>>>>>> > talking to and how we can help!
>>>>>>>> >
>>>>>>>> > Thank you in advance for your consideration!
>>>>>>>> >
>>>>>>>> > Best,
>>>>>>>> >
>>>>>>>> > Amir
>>>>>>>> >
>>>>>>>> >
>>>>>>>> > --
>>>>>>>> > *Amir Montazery*
>>>>>>>> > Managing Director
>>>>>>>> > Open Source Technology Improvement Fund
>>>>>>>> > https://ostif.org/ <https://ostif.org/>
>>>>>>>> > https://calendly.com/ostif <https://calendly.com/ostif>
>>>>>>>> >
>>>>>>>> >
>>>>>>>> > _______________________________________________
>>>>>>>> > zeromq-dev mailing list
>>>>>>>> > zeromq-dev@lists.zeromq.org
>>>>>>>> > https://lists.zeromq.org/mailman/listinfo/zeromq-dev
>>>>>>>> _______________________________________________
>>>>>>>> zeromq-dev mailing list
>>>>>>>> zeromq-dev@lists.zeromq.org
>>>>>>>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev
>>>>>>>>
>>>>>>> --
>>>>>>> *Amir Montazery*
>>>>>>> Managing Director
>>>>>>> Open Source Technology Improvement Fund
>>>>>>> https://ostif.org/
>>>>>>> https://calendly.com/ostif
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> zeromq-dev mailing list
>>>>>>> zeromq-dev@lists.zeromq.org
>>>>>>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev
>>>>>>>
>>>>>> _______________________________________________
>>>>>> zeromq-dev mailing list
>>>>>> zeromq-dev@lists.zeromq.org
>>>>>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> *Amir Montazery*
>>>>> Managing Director
>>>>> Open Source Technology Improvement Fund
>>>>> https://ostif.org/
>>>>> https://calendly.com/ostif
>>>>>
>>>>> _______________________________________________
>>>>> zeromq-dev mailing list
>>>>> zeromq-dev@lists.zeromq.org
>>>>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev
>>>>>
>>>> _______________________________________________
>>>> zeromq-dev mailing list
>>>> zeromq-dev@lists.zeromq.org
>>>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev
>>>>
>>>
>>>
>>> --
>>> *Amir Montazery*
>>> Managing Director
>>> Open Source Technology Improvement Fund
>>> https://ostif.org/
>>> https://calendly.com/ostif
>>>
>>> _______________________________________________
>>> zeromq-dev mailing list
>>> zeromq-dev@lists.zeromq.org
>>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev
>>>
>> _______________________________________________
>> zeromq-dev mailing list
>> zeromq-dev@lists.zeromq.org
>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev
>>
>
>
> --
> *Amir Montazery*
> Managing Director
> Open Source Technology Improvement Fund
> https://ostif.org/
> https://calendly.com/ostif
>
>
--
*Amir Montazery*
Managing Director
Open Source Technology Improvement Fund
https://ostif.org/
https://calendly.com/ostif
_______________________________________________
zeromq-dev mailing list
zeromq-dev@lists.zeromq.org
https://lists.zeromq.org/mailman/listinfo/zeromq-dev
