On 211029 0853, Qiuhao Li wrote: > Sounds great. How about mentioning this program on the Security > Process web page [1]? Hackers who report vulnerabilities may be > interested in fixing bugs.
Sounds like a good idea to me. > > Just curious. Why didn't those bugs [2] get fixed before disclosure? It seems > SD and virtio-9p are maintained now. I'll double check that these have reports/reproducers on gitlab. For the 9p bugs, they seem to be specific to the "synth" backend which is only used for testing AFAIK. > > [1] https://www.qemu.org/contribute/security-process/ > [2] > https://bugs.chromium.org/p/oss-fuzz/issues/list?sort=-reported&q=Type%3DBug-Security%20label%3ADeadline-Exceeded%20qemu&can=2 > > ________________________________ > From: Alexander Bulekov <alx...@bu.edu> > Sent: Thursday, October 28, 2021 22:48 > To: qemu-devel@nongnu.org <qemu-devel@nongnu.org> > Cc: Paolo Bonzini <pbonz...@redhat.com>; Bandan Das <b...@redhat.com>; Stefan > Hajnoczi <stefa...@redhat.com>; Thomas Huth <th...@redhat.com>; Darren Kenny > <darren.ke...@oracle.com>; Qiuhao Li <qiuhao...@outlook.com> > Subject: Possible reward for fuzzer bug fixes? Secure Open Source Rewards > Program > > Recently a pilot for the Secure Open Source Rewards program was > announced [1]. Currently this program is run by the Linux Foundation and > sponsored by the Google Open Source Security Team. > > The page mentions that patches for issues discovered by OSS-Fuzz may be > eligible for rewards. This seems like it could be a good incentive for > fixing fuzzer bugs. > > A couple notes: > * The program also rewards contributions besides fuzzer-bug fixes. > Check out the page for full details. > * It seems that QEMU would qualify for this program. The page mentions > that the project should have a greater than 0.6 OpenSSF Criticality > Score [2]. This score factors in statistics collected from github > (sic!). QEMU's score is currently 0.81078 > * Not limited to individual contributors. Vendors can also qualify for > rewards. > * Work completed before Oct 1, 2021 does not qualify. > * Individuals in some sanctioned countries are not eligible. > * The process seems to be: > 1. Send a fix upstream > 2. Get it accepted > 3. Fill out a form to apply for a reward > > Any thoughts about this? Should this be something we document/advertise > somewhere, so developers are aware of this opportunity? > > [1] https://sos.dev/ > [2] https://github.com/ossf/criticality_score > > -Alex
