subject:"Re\: \[zeromq\-dev\] Free security help from Google and Open Source Technology Improvement Fund, Inc"

Re: [zeromq-dev] Free security help from Google and Open Source Technology Improvement Fund, Inc

2022-11-22 Thread Amir Montazery

Great! Thank you. I started an email thread to schedule the meeting. Feel
free to add any other maintainers interested.

Lmk if there are any questions in the meantime.

Thank you,
Amir

On Thu, Nov 17, 2022 at 10:57 AM Luca Boccassi 
wrote:

> Sounds good for me, thank you
>
> On Thu, 17 Nov 2022 at 16:36, Amir Montazery  wrote:
>
>> Thank you! How does 3pm UTC on 6th December look?
>>
>> Thanks again,
>> Amir
>>
>> On Wed, Nov 16, 2022 at 1:23 PM Arnaud Loonstra 
>> wrote:
>>
>>> Before 4pm UTC suits me as well, both days. I prefer the 6th.
>>>
>>> Rg,
>>>
>>> Arnaud
>>>
>>> On 16-11-2022 20:12, Luca Boccassi wrote:
>>> > For myself, before 4pm or after 7.30pm (UTC) both days
>>> >
>>> > On Wed, 16 Nov 2022 at 18:47, Amir Montazery >> > > wrote:
>>> >
>>> > Thank you! Many of us are in european timezones as well (I myself
>>> am
>>> > based in Chicago, USA). Is there a time that works best on Monday,
>>> > December 5th or Tuesday, December 6th?
>>> >
>>> > On Tue, Nov 15, 2022 at 5:58 PM Luca Boccassi
>>> > mailto:luca.bocca...@gmail.com>> wrote:
>>> >
>>> > Sounds great, thank you - most of us are in the european
>>> > timezones, let us know when you have a date/time in mind
>>> >
>>> > On Tue, 15 Nov 2022 at 18:02, Amir Montazery >> > > wrote:
>>> >
>>> > Thank you to everyone who has helped so far! What we can
>>> > concretely offer is below under "What you can expect". We
>>> > totally understand you maintainers are busy so the process
>>> > is designed to be easy for those who participate. We also
>>> > have a budget to compensate maintainers who help out
>>> > directly (that can go to a nonprofit of the project's
>>> choice
>>> > as well).
>>> >
>>> > Our first team of security experts is ready to meet the
>>> week
>>> > of December 5th if you'd like to participate.
>>> >
>>> > p.s The OSTIF team plans to be in Brussels for fosdem so we
>>> > hope to see some of you there!
>>> >
>>> > Thank you and let me know who would like to participate.
>>> >
>>> > - Amir
>>> >
>>> >
>>> > What you can expect
>>> >
>>> > Here are what we’re going to do (and need your help with)
>>> in
>>> > a nutshell:
>>> >
>>> >   *
>>> >
>>> > We’ll Perform an Initial Assessment
>>> >
>>> >   o
>>> >
>>> > Meet with you to better understand and ask
>>> questions
>>> > about your package – its architecture, design
>>> > choices, known issues, and so on
>>> >
>>> >   o
>>> >
>>> > Install Scorecard
>>> > if you
>>> > don’t already have it – this evaluates your
>>> > environment against a set of SDLC best practices
>>> > (see https://securityscorecards.dev/
>>> > for more info) –
>>> > and identify opportunities to improve low-scoring
>>> checks
>>> >
>>> >   o
>>> >
>>> > Perform a quick code review, get your package to
>>> > build, check for quality and best practices
>>> >
>>> >   o
>>> >
>>> > Assess whether your package would benefit from
>>> > fuzzing and is compatible with our OSS-Fuzz
>>> > offering.
>>> >
>>> >   o
>>> >
>>> > Assess whether your package would benefit from SLSA
>>> > and/or SBOM
>>> > <
>>> https://security.googleblog.com/2022/06/sbom-in-action-finding-vulnerabilities.html>,
>>> software supply chain integrity (SSCI) technologies (for example, do your
>>> users commonly build from source or consume binaries that you build?)
>>> >
>>> >   *
>>> >
>>> > If Warranted, We’ll Proceed with an In-Depth Review
>>> >
>>> >   o
>>> >
>>> > Perform an targeted code review on your package to
>>> > identify security vulnerabilities or recommended
>>> > defense-in-depth fixes
>>> >
>>> >   o
>>> >
>>> > If applicable, integrate your package with the OSS
>>> > Fuzz offering and tune it to achieve maximum
>>> coverage.
>>> >
>>> >   o
>>> >
>>> > Improve eligible Scorecard check scores
>>> >
>>> >   o
>>> >
>>> > Assist you with deploying SLSA and SBOM
>>> >
>>> > Here’s what we’ll ask you to do:
>>> >

Re: [zeromq-dev] Free security help from Google and Open Source Technology Improvement Fund, Inc

2022-11-17 Thread Luca Boccassi

Sounds good for me, thank you

On Thu, 17 Nov 2022 at 16:36, Amir Montazery  wrote:

> Thank you! How does 3pm UTC on 6th December look?
>
> Thanks again,
> Amir
>
> On Wed, Nov 16, 2022 at 1:23 PM Arnaud Loonstra 
> wrote:
>
>> Before 4pm UTC suits me as well, both days. I prefer the 6th.
>>
>> Rg,
>>
>> Arnaud
>>
>> On 16-11-2022 20:12, Luca Boccassi wrote:
>> > For myself, before 4pm or after 7.30pm (UTC) both days
>> >
>> > On Wed, 16 Nov 2022 at 18:47, Amir Montazery > > > wrote:
>> >
>> > Thank you! Many of us are in european timezones as well (I myself am
>> > based in Chicago, USA). Is there a time that works best on Monday,
>> > December 5th or Tuesday, December 6th?
>> >
>> > On Tue, Nov 15, 2022 at 5:58 PM Luca Boccassi
>> > mailto:luca.bocca...@gmail.com>> wrote:
>> >
>> > Sounds great, thank you - most of us are in the european
>> > timezones, let us know when you have a date/time in mind
>> >
>> > On Tue, 15 Nov 2022 at 18:02, Amir Montazery > > > wrote:
>> >
>> > Thank you to everyone who has helped so far! What we can
>> > concretely offer is below under "What you can expect". We
>> > totally understand you maintainers are busy so the process
>> > is designed to be easy for those who participate. We also
>> > have a budget to compensate maintainers who help out
>> > directly (that can go to a nonprofit of the project's choice
>> > as well).
>> >
>> > Our first team of security experts is ready to meet the week
>> > of December 5th if you'd like to participate.
>> >
>> > p.s The OSTIF team plans to be in Brussels for fosdem so we
>> > hope to see some of you there!
>> >
>> > Thank you and let me know who would like to participate.
>> >
>> > - Amir
>> >
>> >
>> > What you can expect
>> >
>> > Here are what we’re going to do (and need your help with) in
>> > a nutshell:
>> >
>> >   *
>> >
>> > We’ll Perform an Initial Assessment
>> >
>> >   o
>> >
>> > Meet with you to better understand and ask questions
>> > about your package – its architecture, design
>> > choices, known issues, and so on
>> >
>> >   o
>> >
>> > Install Scorecard
>> > if you
>> > don’t already have it – this evaluates your
>> > environment against a set of SDLC best practices
>> > (see https://securityscorecards.dev/
>> > for more info) –
>> > and identify opportunities to improve low-scoring
>> checks
>> >
>> >   o
>> >
>> > Perform a quick code review, get your package to
>> > build, check for quality and best practices
>> >
>> >   o
>> >
>> > Assess whether your package would benefit from
>> > fuzzing and is compatible with our OSS-Fuzz
>> > offering.
>> >
>> >   o
>> >
>> > Assess whether your package would benefit from SLSA
>> > and/or SBOM
>> > <
>> https://security.googleblog.com/2022/06/sbom-in-action-finding-vulnerabilities.html>,
>> software supply chain integrity (SSCI) technologies (for example, do your
>> users commonly build from source or consume binaries that you build?)
>> >
>> >   *
>> >
>> > If Warranted, We’ll Proceed with an In-Depth Review
>> >
>> >   o
>> >
>> > Perform an targeted code review on your package to
>> > identify security vulnerabilities or recommended
>> > defense-in-depth fixes
>> >
>> >   o
>> >
>> > If applicable, integrate your package with the OSS
>> > Fuzz offering and tune it to achieve maximum
>> coverage.
>> >
>> >   o
>> >
>> > Improve eligible Scorecard check scores
>> >
>> >   o
>> >
>> > Assist you with deploying SLSA and SBOM
>> >
>> > Here’s what we’ll ask you to do:
>> >
>> >   *
>> >
>> > During the Initial Assessment
>> >
>> >   o
>> >
>> > Meet with us and our partners in a “kick-off”
>> > meeting where we’ll ask you a number of questions
>> > about your package and how it works to build a
>> > shared threat model and scope the review

Re: [zeromq-dev] Free security help from Google and Open Source Technology Improvement Fund, Inc

2022-11-17 Thread Amir Montazery

Thank you! How does 3pm UTC on 6th December look?

Thanks again,
Amir

On Wed, Nov 16, 2022 at 1:23 PM Arnaud Loonstra  wrote:

> Before 4pm UTC suits me as well, both days. I prefer the 6th.
>
> Rg,
>
> Arnaud
>
> On 16-11-2022 20:12, Luca Boccassi wrote:
> > For myself, before 4pm or after 7.30pm (UTC) both days
> >
> > On Wed, 16 Nov 2022 at 18:47, Amir Montazery  > > wrote:
> >
> > Thank you! Many of us are in european timezones as well (I myself am
> > based in Chicago, USA). Is there a time that works best on Monday,
> > December 5th or Tuesday, December 6th?
> >
> > On Tue, Nov 15, 2022 at 5:58 PM Luca Boccassi
> > mailto:luca.bocca...@gmail.com>> wrote:
> >
> > Sounds great, thank you - most of us are in the european
> > timezones, let us know when you have a date/time in mind
> >
> > On Tue, 15 Nov 2022 at 18:02, Amir Montazery  > > wrote:
> >
> > Thank you to everyone who has helped so far! What we can
> > concretely offer is below under "What you can expect". We
> > totally understand you maintainers are busy so the process
> > is designed to be easy for those who participate. We also
> > have a budget to compensate maintainers who help out
> > directly (that can go to a nonprofit of the project's choice
> > as well).
> >
> > Our first team of security experts is ready to meet the week
> > of December 5th if you'd like to participate.
> >
> > p.s The OSTIF team plans to be in Brussels for fosdem so we
> > hope to see some of you there!
> >
> > Thank you and let me know who would like to participate.
> >
> > - Amir
> >
> >
> > What you can expect
> >
> > Here are what we’re going to do (and need your help with) in
> > a nutshell:
> >
> >   *
> >
> > We’ll Perform an Initial Assessment
> >
> >   o
> >
> > Meet with you to better understand and ask questions
> > about your package – its architecture, design
> > choices, known issues, and so on
> >
> >   o
> >
> > Install Scorecard
> > if you
> > don’t already have it – this evaluates your
> > environment against a set of SDLC best practices
> > (see https://securityscorecards.dev/
> > for more info) –
> > and identify opportunities to improve low-scoring
> checks
> >
> >   o
> >
> > Perform a quick code review, get your package to
> > build, check for quality and best practices
> >
> >   o
> >
> > Assess whether your package would benefit from
> > fuzzing and is compatible with our OSS-Fuzz
> > offering.
> >
> >   o
> >
> > Assess whether your package would benefit from SLSA
> > and/or SBOM
> > <
> https://security.googleblog.com/2022/06/sbom-in-action-finding-vulnerabilities.html>,
> software supply chain integrity (SSCI) technologies (for example, do your
> users commonly build from source or consume binaries that you build?)
> >
> >   *
> >
> > If Warranted, We’ll Proceed with an In-Depth Review
> >
> >   o
> >
> > Perform an targeted code review on your package to
> > identify security vulnerabilities or recommended
> > defense-in-depth fixes
> >
> >   o
> >
> > If applicable, integrate your package with the OSS
> > Fuzz offering and tune it to achieve maximum
> coverage.
> >
> >   o
> >
> > Improve eligible Scorecard check scores
> >
> >   o
> >
> > Assist you with deploying SLSA and SBOM
> >
> > Here’s what we’ll ask you to do:
> >
> >   *
> >
> > During the Initial Assessment
> >
> >   o
> >
> > Meet with us and our partners in a “kick-off”
> > meeting where we’ll ask you a number of questions
> > about your package and how it works to build a
> > shared threat model and scope the review
> >
> >   *
> >
> > During Our In-Depth Review
> >
> >   o
> >
> > Assist us with onboarding your package to OSS-Fuzz
> > if applicable,

Re: [zeromq-dev] Free security help from Google and Open Source Technology Improvement Fund, Inc

2022-11-16 Thread Arnaud Loonstra


Before 4pm UTC suits me as well, both days. I prefer the 6th.

Rg,

Arnaud

On 16-11-2022 20:12, Luca Boccassi wrote:

For myself, before 4pm or after 7.30pm (UTC) both days

On Wed, 16 Nov 2022 at 18:47, Amir Montazery > wrote:


Thank you! Many of us are in european timezones as well (I myself am
based in Chicago, USA). Is there a time that works best on Monday,
December 5th or Tuesday, December 6th?

On Tue, Nov 15, 2022 at 5:58 PM Luca Boccassi
mailto:luca.bocca...@gmail.com>> wrote:

Sounds great, thank you - most of us are in the european
timezones, let us know when you have a date/time in mind

On Tue, 15 Nov 2022 at 18:02, Amir Montazery mailto:a...@ostif.org>> wrote:

Thank you to everyone who has helped so far! What we can
concretely offer is below under "What you can expect". We
totally understand you maintainers are busy so the process
is designed to be easy for those who participate. We also
have a budget to compensate maintainers who help out
directly (that can go to a nonprofit of the project's choice
as well).

Our first team of security experts is ready to meet the week
of December 5th if you'd like to participate.

p.s The OSTIF team plans to be in Brussels for fosdem so we
hope to see some of you there!

Thank you and let me know who would like to participate.

- Amir


What you can expect

Here are what we’re going to do (and need your help with) in
a nutshell:

  *

We’ll Perform an Initial Assessment

  o

Meet with you to better understand and ask questions
about your package – its architecture, design
choices, known issues, and so on

  o

Install Scorecard
if you
don’t already have it – this evaluates your
environment against a set of SDLC best practices
(see https://securityscorecards.dev/
for more info) –
and identify opportunities to improve low-scoring checks

  o

Perform a quick code review, get your package to
build, check for quality and best practices

  o

Assess whether your package would benefit from
fuzzing and is compatible with our OSS-Fuzz
offering.

  o

Assess whether your package would benefit from SLSA
and/or SBOM

,
 software supply chain integrity (SSCI) technologies (for example, do your users 
commonly build from source or consume binaries that you build?)

  *

If Warranted, We’ll Proceed with an In-Depth Review

  o

Perform an targeted code review on your package to
identify security vulnerabilities or recommended
defense-in-depth fixes

  o

If applicable, integrate your package with the OSS
Fuzz offering and tune it to achieve maximum coverage.

  o

Improve eligible Scorecard check scores

  o

Assist you with deploying SLSA and SBOM

Here’s what we’ll ask you to do:

  *

During the Initial Assessment

  o

Meet with us and our partners in a “kick-off”
meeting where we’ll ask you a number of questions
about your package and how it works to build a
shared threat model and scope the review

  *

During Our In-Depth Review

  o

Assist us with onboarding your package to OSS-Fuzz
if applicable, and you’ll be compensated for doing so

  o

Assist us with improving the Scorecard checks we
recommend, and you’ll be compensated for each

  o

Assist us with implementing SLSA and SBOM, if
applicable, and you’ll be compensated for doing so

  *

After our In-Depth Review

  o

Review the security vulnerabilities we find (if any)
and our recommended defense-in-depth fixes (if any),

Re: [zeromq-dev] Free security help from Google and Open Source Technology Improvement Fund, Inc

2022-11-16 Thread Luca Boccassi

For myself, before 4pm or after 7.30pm (UTC) both days

On Wed, 16 Nov 2022 at 18:47, Amir Montazery  wrote:

> Thank you! Many of us are in european timezones as well (I myself am based
> in Chicago, USA). Is there a time that works best on Monday, December 5th
> or Tuesday, December 6th?
>
> On Tue, Nov 15, 2022 at 5:58 PM Luca Boccassi 
> wrote:
>
>> Sounds great, thank you - most of us are in the european timezones, let
>> us know when you have a date/time in mind
>>
>> On Tue, 15 Nov 2022 at 18:02, Amir Montazery  wrote:
>>
>>> Thank you to everyone who has helped so far! What we can concretely
>>> offer is below under "What you can expect". We totally understand you
>>> maintainers are busy so the process is designed to be easy for those who
>>> participate. We also have a budget to compensate maintainers who help out
>>> directly (that can go to a nonprofit of the project's choice as well).
>>>
>>> Our first team of security experts is ready to meet the week of December
>>> 5th if you'd like to participate.
>>>
>>> p.s The OSTIF team plans to be in Brussels for fosdem so we hope to see
>>> some of you there!
>>>
>>> Thank you and let me know who would like to participate.
>>>
>>> - Amir
>>>
>>>
>>> What you can expect
>>>
>>> Here are what we’re going to do (and need your help with) in a nutshell:
>>>
>>>-
>>>
>>>We’ll Perform an Initial Assessment
>>>-
>>>
>>>   Meet with you to better understand and ask questions about your
>>>   package – its architecture, design choices, known issues, and so on
>>>   -
>>>
>>>   Install Scorecard  if
>>>   you don’t already have it – this evaluates your environment against a 
>>> set
>>>   of SDLC best practices (see https://securityscorecards.dev/ for
>>>   more info) – and identify opportunities to improve low-scoring checks
>>>   -
>>>
>>>   Perform a quick code review, get your package to build, check for
>>>   quality and best practices
>>>   -
>>>
>>>   Assess whether your package would benefit from fuzzing and is
>>>   compatible with our OSS-Fuzz 
>>>   offering.
>>>   -
>>>
>>>   Assess whether your package would benefit from SLSA
>>>    and/or SBOM
>>>   
>>> ,
>>>   software supply chain integrity (SSCI) technologies (for example, do 
>>> your
>>>   users commonly build from source or consume binaries that you build?)
>>>   -
>>>
>>>If Warranted, We’ll Proceed with an In-Depth Review
>>>-
>>>
>>>   Perform an targeted code review on your package to identify
>>>   security vulnerabilities or recommended defense-in-depth fixes
>>>   -
>>>
>>>   If applicable, integrate your package with the OSS Fuzz offering
>>>   and tune it to achieve maximum coverage.
>>>   -
>>>
>>>   Improve eligible Scorecard check scores
>>>   -
>>>
>>>   Assist you with deploying SLSA and SBOM
>>>
>>> Here’s what we’ll ask you to do:
>>>
>>>-
>>>
>>>During the Initial Assessment
>>>-
>>>
>>>   Meet with us and our partners in a “kick-off” meeting where we’ll
>>>   ask you a number of questions about your package and how it works to 
>>> build
>>>   a shared threat model and scope the review
>>>   -
>>>
>>>During Our In-Depth Review
>>>-
>>>
>>>   Assist us with onboarding your package to OSS-Fuzz if applicable,
>>>   and you’ll be compensated for doing so
>>>   -
>>>
>>>   Assist us with improving the Scorecard checks we recommend, and
>>>   you’ll be compensated for each
>>>   -
>>>
>>>   Assist us with implementing SLSA and SBOM, if applicable, and
>>>   you’ll be compensated for doing so
>>>   -
>>>
>>>After our In-Depth Review
>>>-
>>>
>>>   Review the security vulnerabilities we find (if any) and our
>>>   recommended defense-in-depth fixes (if any), and remediate each
>>>   vulnerability within a reasonable timeframe (we’ll work this out with 
>>> you
>>>   when the time comes), and you’ll be compensated for each
>>>   -
>>>
>>>   If applicable, produce a new build that includes all of the
>>>   improvements made during this process
>>>
>>>
>>>
>>>
>>>
>>>
>>> On Mon, Oct 31, 2022 at 11:08 AM Amir Montazery  wrote:
>>>
 Awesome! Thank you for that Luca. Apologies for the lag, I was in
 Detroit last week for KubeCon meeting a number of projects we've done
 security engagements with and collecting feedback.

 I hope we can sync soon and discuss opportunities to help out with
 zeromq! Our org OSTIF (https://ostif.org/) has been advocating for
 providing free help to open source projects for almost 8 years now. We
 finally have some resources on our bench to help projects out with their
 security needs. I am

Re: [zeromq-dev] Free security help from Google and Open Source Technology Improvement Fund, Inc

2022-11-16 Thread Amir Montazery

Thank you! Many of us are in european timezones as well (I myself am based
in Chicago, USA). Is there a time that works best on Monday, December 5th
or Tuesday, December 6th?

On Tue, Nov 15, 2022 at 5:58 PM Luca Boccassi 
wrote:

> Sounds great, thank you - most of us are in the european timezones, let us
> know when you have a date/time in mind
>
> On Tue, 15 Nov 2022 at 18:02, Amir Montazery  wrote:
>
>> Thank you to everyone who has helped so far! What we can concretely offer
>> is below under "What you can expect". We totally understand you maintainers
>> are busy so the process is designed to be easy for those who participate.
>> We also have a budget to compensate maintainers who help out directly (that
>> can go to a nonprofit of the project's choice as well).
>>
>> Our first team of security experts is ready to meet the week of December
>> 5th if you'd like to participate.
>>
>> p.s The OSTIF team plans to be in Brussels for fosdem so we hope to see
>> some of you there!
>>
>> Thank you and let me know who would like to participate.
>>
>> - Amir
>>
>>
>> What you can expect
>>
>> Here are what we’re going to do (and need your help with) in a nutshell:
>>
>>-
>>
>>We’ll Perform an Initial Assessment
>>-
>>
>>   Meet with you to better understand and ask questions about your
>>   package – its architecture, design choices, known issues, and so on
>>   -
>>
>>   Install Scorecard  if
>>   you don’t already have it – this evaluates your environment against a 
>> set
>>   of SDLC best practices (see https://securityscorecards.dev/ for
>>   more info) – and identify opportunities to improve low-scoring checks
>>   -
>>
>>   Perform a quick code review, get your package to build, check for
>>   quality and best practices
>>   -
>>
>>   Assess whether your package would benefit from fuzzing and is
>>   compatible with our OSS-Fuzz 
>>   offering.
>>   -
>>
>>   Assess whether your package would benefit from SLSA
>>    and/or SBOM
>>   
>> ,
>>   software supply chain integrity (SSCI) technologies (for example, do 
>> your
>>   users commonly build from source or consume binaries that you build?)
>>   -
>>
>>If Warranted, We’ll Proceed with an In-Depth Review
>>-
>>
>>   Perform an targeted code review on your package to identify
>>   security vulnerabilities or recommended defense-in-depth fixes
>>   -
>>
>>   If applicable, integrate your package with the OSS Fuzz offering
>>   and tune it to achieve maximum coverage.
>>   -
>>
>>   Improve eligible Scorecard check scores
>>   -
>>
>>   Assist you with deploying SLSA and SBOM
>>
>> Here’s what we’ll ask you to do:
>>
>>-
>>
>>During the Initial Assessment
>>-
>>
>>   Meet with us and our partners in a “kick-off” meeting where we’ll
>>   ask you a number of questions about your package and how it works to 
>> build
>>   a shared threat model and scope the review
>>   -
>>
>>During Our In-Depth Review
>>-
>>
>>   Assist us with onboarding your package to OSS-Fuzz if applicable,
>>   and you’ll be compensated for doing so
>>   -
>>
>>   Assist us with improving the Scorecard checks we recommend, and
>>   you’ll be compensated for each
>>   -
>>
>>   Assist us with implementing SLSA and SBOM, if applicable, and
>>   you’ll be compensated for doing so
>>   -
>>
>>After our In-Depth Review
>>-
>>
>>   Review the security vulnerabilities we find (if any) and our
>>   recommended defense-in-depth fixes (if any), and remediate each
>>   vulnerability within a reasonable timeframe (we’ll work this out with 
>> you
>>   when the time comes), and you’ll be compensated for each
>>   -
>>
>>   If applicable, produce a new build that includes all of the
>>   improvements made during this process
>>
>>
>>
>>
>>
>>
>> On Mon, Oct 31, 2022 at 11:08 AM Amir Montazery  wrote:
>>
>>> Awesome! Thank you for that Luca. Apologies for the lag, I was in
>>> Detroit last week for KubeCon meeting a number of projects we've done
>>> security engagements with and collecting feedback.
>>>
>>> I hope we can sync soon and discuss opportunities to help out with
>>> zeromq! Our org OSTIF (https://ostif.org/) has been advocating for
>>> providing free help to open source projects for almost 8 years now. We
>>> finally have some resources on our bench to help projects out with their
>>> security needs. I am finalizing what exactly that would look like in the
>>> next week!
>>>
>>> I'll have updates and resources for you soon. In the meantime feel free
>>> to reach out with any questions or feedback.
>>>
>>> Thank you,
>>> Amir
>>>
>>> On Wed, Oct 19, 2022 at 1:39 PM

Re: [zeromq-dev] Free security help from Google and Open Source Technology Improvement Fund, Inc

2022-11-15 Thread Luca Boccassi

Sounds great, thank you - most of us are in the european timezones, let us
know when you have a date/time in mind

On Tue, 15 Nov 2022 at 18:02, Amir Montazery  wrote:

> Thank you to everyone who has helped so far! What we can concretely offer
> is below under "What you can expect". We totally understand you maintainers
> are busy so the process is designed to be easy for those who participate.
> We also have a budget to compensate maintainers who help out directly (that
> can go to a nonprofit of the project's choice as well).
>
> Our first team of security experts is ready to meet the week of December
> 5th if you'd like to participate.
>
> p.s The OSTIF team plans to be in Brussels for fosdem so we hope to see
> some of you there!
>
> Thank you and let me know who would like to participate.
>
> - Amir
>
>
> What you can expect
>
> Here are what we’re going to do (and need your help with) in a nutshell:
>
>-
>
>We’ll Perform an Initial Assessment
>-
>
>   Meet with you to better understand and ask questions about your
>   package – its architecture, design choices, known issues, and so on
>   -
>
>   Install Scorecard  if
>   you don’t already have it – this evaluates your environment against a 
> set
>   of SDLC best practices (see https://securityscorecards.dev/ for
>   more info) – and identify opportunities to improve low-scoring checks
>   -
>
>   Perform a quick code review, get your package to build, check for
>   quality and best practices
>   -
>
>   Assess whether your package would benefit from fuzzing and is
>   compatible with our OSS-Fuzz 
>   offering.
>   -
>
>   Assess whether your package would benefit from SLSA
>    and/or SBOM
>   
> ,
>   software supply chain integrity (SSCI) technologies (for example, do 
> your
>   users commonly build from source or consume binaries that you build?)
>   -
>
>If Warranted, We’ll Proceed with an In-Depth Review
>-
>
>   Perform an targeted code review on your package to identify
>   security vulnerabilities or recommended defense-in-depth fixes
>   -
>
>   If applicable, integrate your package with the OSS Fuzz offering
>   and tune it to achieve maximum coverage.
>   -
>
>   Improve eligible Scorecard check scores
>   -
>
>   Assist you with deploying SLSA and SBOM
>
> Here’s what we’ll ask you to do:
>
>-
>
>During the Initial Assessment
>-
>
>   Meet with us and our partners in a “kick-off” meeting where we’ll
>   ask you a number of questions about your package and how it works to 
> build
>   a shared threat model and scope the review
>   -
>
>During Our In-Depth Review
>-
>
>   Assist us with onboarding your package to OSS-Fuzz if applicable,
>   and you’ll be compensated for doing so
>   -
>
>   Assist us with improving the Scorecard checks we recommend, and
>   you’ll be compensated for each
>   -
>
>   Assist us with implementing SLSA and SBOM, if applicable, and
>   you’ll be compensated for doing so
>   -
>
>After our In-Depth Review
>-
>
>   Review the security vulnerabilities we find (if any) and our
>   recommended defense-in-depth fixes (if any), and remediate each
>   vulnerability within a reasonable timeframe (we’ll work this out with 
> you
>   when the time comes), and you’ll be compensated for each
>   -
>
>   If applicable, produce a new build that includes all of the
>   improvements made during this process
>
>
>
>
>
>
> On Mon, Oct 31, 2022 at 11:08 AM Amir Montazery  wrote:
>
>> Awesome! Thank you for that Luca. Apologies for the lag, I was in Detroit
>> last week for KubeCon meeting a number of projects we've done security
>> engagements with and collecting feedback.
>>
>> I hope we can sync soon and discuss opportunities to help out with
>> zeromq! Our org OSTIF (https://ostif.org/) has been advocating for
>> providing free help to open source projects for almost 8 years now. We
>> finally have some resources on our bench to help projects out with their
>> security needs. I am finalizing what exactly that would look like in the
>> next week!
>>
>> I'll have updates and resources for you soon. In the meantime feel free
>> to reach out with any questions or feedback.
>>
>> Thank you,
>> Amir
>>
>> On Wed, Oct 19, 2022 at 1:39 PM Luca Boccassi 
>> wrote:
>>
>>> Thanks, existing fuzzers are the *_fuzzer.cpp files at:
>>> https://github.com/zeromq/libzmq/tree/master/tests
>>>
>>> On Wed, 19 Oct 2022 at 16:04, Amir Montazery  wrote:
>>>
 Of course, that is understandable. Thank you all for maintaining such
 an important project despite your busy schedules! I hope we can find a way
 to help

Re: [zeromq-dev] Free security help from Google and Open Source Technology Improvement Fund, Inc

2022-11-15 Thread Amir Montazery

Thank you for the response Trevor. For the sake of this pilot, we're
focusing mainly on libzmq. We have some folks who are very well-versed in
C++ ready to go.

On Tue, Nov 15, 2022 at 1:31 PM Trevor Bernard 
wrote:

> Is this strictly for libzmq or can child projects like jeromq get some
> help as well?
>
> On Tue, Nov 15, 2022 at 1:07 PM Amir Montazery  wrote:
>
>> Thank you to everyone who has helped so far! What we can concretely offer
>> is below under "What you can expect". We totally understand you maintainers
>> are busy so the process is designed to be easy for those who participate.
>> We also have a budget to compensate maintainers who help out directly (that
>> can go to a nonprofit of the project's choice as well).
>>
>> Our first team of security experts is ready to meet the week of December
>> 5th if you'd like to participate.
>>
>> p.s The OSTIF team plans to be in Brussels for fosdem so we hope to see
>> some of you there!
>>
>> Thank you and let me know who would like to participate.
>>
>> - Amir
>>
>>
>> What you can expect
>>
>> Here are what we’re going to do (and need your help with) in a nutshell:
>>
>>-
>>
>>We’ll Perform an Initial Assessment
>>-
>>
>>   Meet with you to better understand and ask questions about your
>>   package – its architecture, design choices, known issues, and so on
>>   -
>>
>>   Install Scorecard  if
>>   you don’t already have it – this evaluates your environment against a 
>> set
>>   of SDLC best practices (see https://securityscorecards.dev/ for
>>   more info) – and identify opportunities to improve low-scoring checks
>>   -
>>
>>   Perform a quick code review, get your package to build, check for
>>   quality and best practices
>>   -
>>
>>   Assess whether your package would benefit from fuzzing and is
>>   compatible with our OSS-Fuzz 
>>   offering.
>>   -
>>
>>   Assess whether your package would benefit from SLSA
>>    and/or SBOM
>>   
>> ,
>>   software supply chain integrity (SSCI) technologies (for example, do 
>> your
>>   users commonly build from source or consume binaries that you build?)
>>   -
>>
>>If Warranted, We’ll Proceed with an In-Depth Review
>>-
>>
>>   Perform an targeted code review on your package to identify
>>   security vulnerabilities or recommended defense-in-depth fixes
>>   -
>>
>>   If applicable, integrate your package with the OSS Fuzz offering
>>   and tune it to achieve maximum coverage.
>>   -
>>
>>   Improve eligible Scorecard check scores
>>   -
>>
>>   Assist you with deploying SLSA and SBOM
>>
>> Here’s what we’ll ask you to do:
>>
>>-
>>
>>During the Initial Assessment
>>-
>>
>>   Meet with us and our partners in a “kick-off” meeting where we’ll
>>   ask you a number of questions about your package and how it works to 
>> build
>>   a shared threat model and scope the review
>>   -
>>
>>During Our In-Depth Review
>>-
>>
>>   Assist us with onboarding your package to OSS-Fuzz if applicable,
>>   and you’ll be compensated for doing so
>>   -
>>
>>   Assist us with improving the Scorecard checks we recommend, and
>>   you’ll be compensated for each
>>   -
>>
>>   Assist us with implementing SLSA and SBOM, if applicable, and
>>   you’ll be compensated for doing so
>>   -
>>
>>After our In-Depth Review
>>-
>>
>>   Review the security vulnerabilities we find (if any) and our
>>   recommended defense-in-depth fixes (if any), and remediate each
>>   vulnerability within a reasonable timeframe (we’ll work this out with 
>> you
>>   when the time comes), and you’ll be compensated for each
>>   -
>>
>>   If applicable, produce a new build that includes all of the
>>   improvements made during this process
>>
>>
>>
>>
>>
>>
>> On Mon, Oct 31, 2022 at 11:08 AM Amir Montazery  wrote:
>>
>>> Awesome! Thank you for that Luca. Apologies for the lag, I was in
>>> Detroit last week for KubeCon meeting a number of projects we've done
>>> security engagements with and collecting feedback.
>>>
>>> I hope we can sync soon and discuss opportunities to help out with
>>> zeromq! Our org OSTIF (https://ostif.org/) has been advocating for
>>> providing free help to open source projects for almost 8 years now. We
>>> finally have some resources on our bench to help projects out with their
>>> security needs. I am finalizing what exactly that would look like in the
>>> next week!
>>>
>>> I'll have updates and resources for you soon. In the meantime feel free
>>> to reach out with any questions or feedback.
>>>
>>> Thank you,
>>> Amir
>>>
>>> On Wed, Oct 19, 2022 at 1:39 PM Luca Boccassi 
>>> wrote:
>>>

Re: [zeromq-dev] Free security help from Google and Open Source Technology Improvement Fund, Inc

2022-11-15 Thread Trevor Bernard

Is this strictly for libzmq or can child projects like jeromq get some help
as well?

On Tue, Nov 15, 2022 at 1:07 PM Amir Montazery  wrote:

> Thank you to everyone who has helped so far! What we can concretely offer
> is below under "What you can expect". We totally understand you maintainers
> are busy so the process is designed to be easy for those who participate.
> We also have a budget to compensate maintainers who help out directly (that
> can go to a nonprofit of the project's choice as well).
>
> Our first team of security experts is ready to meet the week of December
> 5th if you'd like to participate.
>
> p.s The OSTIF team plans to be in Brussels for fosdem so we hope to see
> some of you there!
>
> Thank you and let me know who would like to participate.
>
> - Amir
>
>
> What you can expect
>
> Here are what we’re going to do (and need your help with) in a nutshell:
>
>-
>
>We’ll Perform an Initial Assessment
>-
>
>   Meet with you to better understand and ask questions about your
>   package – its architecture, design choices, known issues, and so on
>   -
>
>   Install Scorecard  if
>   you don’t already have it – this evaluates your environment against a 
> set
>   of SDLC best practices (see https://securityscorecards.dev/ for
>   more info) – and identify opportunities to improve low-scoring checks
>   -
>
>   Perform a quick code review, get your package to build, check for
>   quality and best practices
>   -
>
>   Assess whether your package would benefit from fuzzing and is
>   compatible with our OSS-Fuzz 
>   offering.
>   -
>
>   Assess whether your package would benefit from SLSA
>    and/or SBOM
>   
> ,
>   software supply chain integrity (SSCI) technologies (for example, do 
> your
>   users commonly build from source or consume binaries that you build?)
>   -
>
>If Warranted, We’ll Proceed with an In-Depth Review
>-
>
>   Perform an targeted code review on your package to identify
>   security vulnerabilities or recommended defense-in-depth fixes
>   -
>
>   If applicable, integrate your package with the OSS Fuzz offering
>   and tune it to achieve maximum coverage.
>   -
>
>   Improve eligible Scorecard check scores
>   -
>
>   Assist you with deploying SLSA and SBOM
>
> Here’s what we’ll ask you to do:
>
>-
>
>During the Initial Assessment
>-
>
>   Meet with us and our partners in a “kick-off” meeting where we’ll
>   ask you a number of questions about your package and how it works to 
> build
>   a shared threat model and scope the review
>   -
>
>During Our In-Depth Review
>-
>
>   Assist us with onboarding your package to OSS-Fuzz if applicable,
>   and you’ll be compensated for doing so
>   -
>
>   Assist us with improving the Scorecard checks we recommend, and
>   you’ll be compensated for each
>   -
>
>   Assist us with implementing SLSA and SBOM, if applicable, and
>   you’ll be compensated for doing so
>   -
>
>After our In-Depth Review
>-
>
>   Review the security vulnerabilities we find (if any) and our
>   recommended defense-in-depth fixes (if any), and remediate each
>   vulnerability within a reasonable timeframe (we’ll work this out with 
> you
>   when the time comes), and you’ll be compensated for each
>   -
>
>   If applicable, produce a new build that includes all of the
>   improvements made during this process
>
>
>
>
>
>
> On Mon, Oct 31, 2022 at 11:08 AM Amir Montazery  wrote:
>
>> Awesome! Thank you for that Luca. Apologies for the lag, I was in Detroit
>> last week for KubeCon meeting a number of projects we've done security
>> engagements with and collecting feedback.
>>
>> I hope we can sync soon and discuss opportunities to help out with
>> zeromq! Our org OSTIF (https://ostif.org/) has been advocating for
>> providing free help to open source projects for almost 8 years now. We
>> finally have some resources on our bench to help projects out with their
>> security needs. I am finalizing what exactly that would look like in the
>> next week!
>>
>> I'll have updates and resources for you soon. In the meantime feel free
>> to reach out with any questions or feedback.
>>
>> Thank you,
>> Amir
>>
>> On Wed, Oct 19, 2022 at 1:39 PM Luca Boccassi 
>> wrote:
>>
>>> Thanks, existing fuzzers are the *_fuzzer.cpp files at:
>>> https://github.com/zeromq/libzmq/tree/master/tests
>>>
>>> On Wed, 19 Oct 2022 at 16:04, Amir Montazery  wrote:
>>>
 Of course, that is understandable. Thank you all for maintaining such
 an important project despite your busy schedules! I hope we can find a way
 to help make your lives easier.

Re: [zeromq-dev] Free security help from Google and Open Source Technology Improvement Fund, Inc

2022-11-15 Thread Amir Montazery

Thank you to everyone who has helped so far! What we can concretely offer
is below under "What you can expect". We totally understand you maintainers
are busy so the process is designed to be easy for those who participate.
We also have a budget to compensate maintainers who help out directly (that
can go to a nonprofit of the project's choice as well).

Our first team of security experts is ready to meet the week of December
5th if you'd like to participate.

p.s The OSTIF team plans to be in Brussels for fosdem so we hope to see
some of you there!

Thank you and let me know who would like to participate.

- Amir


What you can expect

Here are what we’re going to do (and need your help with) in a nutshell:

   -

   We’ll Perform an Initial Assessment
   -

  Meet with you to better understand and ask questions about your
  package – its architecture, design choices, known issues, and so on
  -

  Install Scorecard  if you
  don’t already have it – this evaluates your environment against a set of
  SDLC best practices (see https://securityscorecards.dev/ for more
  info) – and identify opportunities to improve low-scoring checks
  -

  Perform a quick code review, get your package to build, check for
  quality and best practices
  -

  Assess whether your package would benefit from fuzzing and is
  compatible with our OSS-Fuzz 
  offering.
  -

  Assess whether your package would benefit from SLSA
   and/or SBOM
  
,
  software supply chain integrity (SSCI) technologies (for example, do your
  users commonly build from source or consume binaries that you build?)
  -

   If Warranted, We’ll Proceed with an In-Depth Review
   -

  Perform an targeted code review on your package to identify security
  vulnerabilities or recommended defense-in-depth fixes
  -

  If applicable, integrate your package with the OSS Fuzz offering and
  tune it to achieve maximum coverage.
  -

  Improve eligible Scorecard check scores
  -

  Assist you with deploying SLSA and SBOM

Here’s what we’ll ask you to do:

   -

   During the Initial Assessment
   -

  Meet with us and our partners in a “kick-off” meeting where we’ll ask
  you a number of questions about your package and how it works to build a
  shared threat model and scope the review
  -

   During Our In-Depth Review
   -

  Assist us with onboarding your package to OSS-Fuzz if applicable, and
  you’ll be compensated for doing so
  -

  Assist us with improving the Scorecard checks we recommend, and
  you’ll be compensated for each
  -

  Assist us with implementing SLSA and SBOM, if applicable, and you’ll
  be compensated for doing so
  -

   After our In-Depth Review
   -

  Review the security vulnerabilities we find (if any) and our
  recommended defense-in-depth fixes (if any), and remediate each
  vulnerability within a reasonable timeframe (we’ll work this out with you
  when the time comes), and you’ll be compensated for each
  -

  If applicable, produce a new build that includes all of the
  improvements made during this process






On Mon, Oct 31, 2022 at 11:08 AM Amir Montazery  wrote:

> Awesome! Thank you for that Luca. Apologies for the lag, I was in Detroit
> last week for KubeCon meeting a number of projects we've done security
> engagements with and collecting feedback.
>
> I hope we can sync soon and discuss opportunities to help out with zeromq!
> Our org OSTIF (https://ostif.org/) has been advocating for providing free
> help to open source projects for almost 8 years now. We finally have some
> resources on our bench to help projects out with their security needs. I am
> finalizing what exactly that would look like in the next week!
>
> I'll have updates and resources for you soon. In the meantime feel free to
> reach out with any questions or feedback.
>
> Thank you,
> Amir
>
> On Wed, Oct 19, 2022 at 1:39 PM Luca Boccassi 
> wrote:
>
>> Thanks, existing fuzzers are the *_fuzzer.cpp files at:
>> https://github.com/zeromq/libzmq/tree/master/tests
>>
>> On Wed, 19 Oct 2022 at 16:04, Amir Montazery  wrote:
>>
>>> Of course, that is understandable. Thank you all for maintaining such an
>>> important project despite your busy schedules! I hope we can find a way to
>>> help make your lives easier.
>>>
>>> What we can contribute is a security review by an experienced team to
>>> assess general design review; code quality, defensive programming, and best
>>> practices, as well as opportunities to improve fuzzing. Additional fuzzers
>>> can be built and the team can integrate the project to oss-fuzz for
>>> continuous monitoring of security issues. Based on our experience,

Re: [zeromq-dev] Free security help from Google and Open Source Technology Improvement Fund, Inc

2022-10-31 Thread Amir Montazery

Awesome! Thank you for that Luca. Apologies for the lag, I was in Detroit
last week for KubeCon meeting a number of projects we've done security
engagements with and collecting feedback.

I hope we can sync soon and discuss opportunities to help out with zeromq!
Our org OSTIF (https://ostif.org/) has been advocating for providing free
help to open source projects for almost 8 years now. We finally have some
resources on our bench to help projects out with their security needs. I am
finalizing what exactly that would look like in the next week!

I'll have updates and resources for you soon. In the meantime feel free to
reach out with any questions or feedback.

Thank you,
Amir

On Wed, Oct 19, 2022 at 1:39 PM Luca Boccassi 
wrote:

> Thanks, existing fuzzers are the *_fuzzer.cpp files at:
> https://github.com/zeromq/libzmq/tree/master/tests
>
> On Wed, 19 Oct 2022 at 16:04, Amir Montazery  wrote:
>
>> Of course, that is understandable. Thank you all for maintaining such an
>> important project despite your busy schedules! I hope we can find a way to
>> help make your lives easier.
>>
>> What we can contribute is a security review by an experienced team to
>> assess general design review; code quality, defensive programming, and best
>> practices, as well as opportunities to improve fuzzing. Additional fuzzers
>> can be built and the team can integrate the project to oss-fuzz for
>> continuous monitoring of security issues. Based on our experience, when
>> security teams have a line of contact with the project maintainers, they
>> can be guided and better utilized to help.
>>
>> I'm fairly certain that we can provide new fuzzers/test cases and will
>> get more specific details for you on that.
>>
>> Thank you!
>> Amir
>>
>>
>>
>>
>>
>> On Tue, Oct 18, 2022 at 3:26 PM Luca Boccassi 
>> wrote:
>>
>>> Hi,
>>>
>>> Thanks for the offer, but let's continue via mail please, we are all
>>> very busy as-is.
>>>
>>> What can you contribute, concretely? I have already set up fuzzing some
>>> time ago. Can you provide new fuzzers/test cases? If so that would be
>>> great, just send pull requests to the repository.
>>>
>>> On Wed, 12 Oct 2022 at 13:10, Amir Montazery  wrote:
>>>
 We can help with whatever the project needs. The intention is to
 connect the project maintainer(s)/contributor(s) with our security team
 (made up of security experts and Google Open Source Security engineers) to
 help where the project needs it most. We can help with bug fixes, security
 tooling i.e fuzzing and developing fuzzers for the project, CI/CD, and
 anything else that will help zeromq be more secure!

 Thankfully we have resources to help and are able to compensate
 maintainer(s) who participate in the engagement to show our gratitude for
 your time and efforts.

 I'd be happy to set up a quick introductory call with anyone interested
 in learning more.

 Thank you and have a great day!
 Amir

 On Tue, Oct 11, 2022 at 10:05 PM Luca Boccassi 
 wrote:

> Hi,
>
> What kind of support are you able to provide?
>
> On Tue, 11 Oct 2022 at 14:30, Amir Montazery  wrote:
>
>> Yes, I meant zeromq. Thank you Arnaud! That is my mistake.
>>
>> That’s great news, we have teams ready to help. Would you be a good
>> person to coordinate that with? If anyone else comes to mind to include
>> please let me know!
>>
>> I would be happy to set up a quick call to meet and discuss how we
>> can best be of service to the zeromq project.
>>
>> Thank you,
>> Amir
>>
>> On Tue, Oct 11, 2022 at 1:22 PM Arnaud Loonstra 
>> wrote:
>>
>>> Are you sure you are on the right list? This the zeromq list not
>>> dnsmasq.
>>>
>>> We'd appreciate any help for sure!
>>>
>>> Rg,
>>>
>>> Arnaud
>>>
>>> On 07-10-2022 21:46, Amir Montazery wrote:
>>> > Hello dnsmasq community! OSTIF would like to help improve your
>>> security
>>> > posture!
>>> >
>>> > I’m Amir from Open Source Technology Improvement Fund, Inc. OSTIF
>>> >  is a nonprofit solely dedicated to helping
>>> open
>>> > source projects improve their security for free.
>>> >
>>> > We are working with a team of Google engineers and security
>>> experts to
>>> > help important open source projects like dnsmasq. This includes
>>> helping
>>> > improve testing, reviewing code, implementing more security tools,
>>> and
>>> > improving supply chain security.
>>> >
>>> > Additionally, we understand the time constraints that open source
>>> > contributors have, and would like to compensate contributors for
>>> their
>>> > time working with us.
>>> >
>>> > We would love to work with you! Please let me know who we should
>>> be
>>> > talking to and how we can help!
>>> >
>>> > Thank you in advance for

Re: [zeromq-dev] Free security help from Google and Open Source Technology Improvement Fund, Inc

2022-10-19 Thread Luca Boccassi

Thanks, existing fuzzers are the *_fuzzer.cpp files at:
https://github.com/zeromq/libzmq/tree/master/tests

On Wed, 19 Oct 2022 at 16:04, Amir Montazery  wrote:

> Of course, that is understandable. Thank you all for maintaining such an
> important project despite your busy schedules! I hope we can find a way to
> help make your lives easier.
>
> What we can contribute is a security review by an experienced team to
> assess general design review; code quality, defensive programming, and best
> practices, as well as opportunities to improve fuzzing. Additional fuzzers
> can be built and the team can integrate the project to oss-fuzz for
> continuous monitoring of security issues. Based on our experience, when
> security teams have a line of contact with the project maintainers, they
> can be guided and better utilized to help.
>
> I'm fairly certain that we can provide new fuzzers/test cases and will get
> more specific details for you on that.
>
> Thank you!
> Amir
>
>
>
>
>
> On Tue, Oct 18, 2022 at 3:26 PM Luca Boccassi 
> wrote:
>
>> Hi,
>>
>> Thanks for the offer, but let's continue via mail please, we are all very
>> busy as-is.
>>
>> What can you contribute, concretely? I have already set up fuzzing some
>> time ago. Can you provide new fuzzers/test cases? If so that would be
>> great, just send pull requests to the repository.
>>
>> On Wed, 12 Oct 2022 at 13:10, Amir Montazery  wrote:
>>
>>> We can help with whatever the project needs. The intention is to connect
>>> the project maintainer(s)/contributor(s) with our security team (made up of
>>> security experts and Google Open Source Security engineers) to help where
>>> the project needs it most. We can help with bug fixes, security tooling i.e
>>> fuzzing and developing fuzzers for the project, CI/CD, and anything else
>>> that will help zeromq be more secure!
>>>
>>> Thankfully we have resources to help and are able to compensate
>>> maintainer(s) who participate in the engagement to show our gratitude for
>>> your time and efforts.
>>>
>>> I'd be happy to set up a quick introductory call with anyone interested
>>> in learning more.
>>>
>>> Thank you and have a great day!
>>> Amir
>>>
>>> On Tue, Oct 11, 2022 at 10:05 PM Luca Boccassi 
>>> wrote:
>>>
 Hi,

 What kind of support are you able to provide?

 On Tue, 11 Oct 2022 at 14:30, Amir Montazery  wrote:

> Yes, I meant zeromq. Thank you Arnaud! That is my mistake.
>
> That’s great news, we have teams ready to help. Would you be a good
> person to coordinate that with? If anyone else comes to mind to include
> please let me know!
>
> I would be happy to set up a quick call to meet and discuss how we can
> best be of service to the zeromq project.
>
> Thank you,
> Amir
>
> On Tue, Oct 11, 2022 at 1:22 PM Arnaud Loonstra 
> wrote:
>
>> Are you sure you are on the right list? This the zeromq list not
>> dnsmasq.
>>
>> We'd appreciate any help for sure!
>>
>> Rg,
>>
>> Arnaud
>>
>> On 07-10-2022 21:46, Amir Montazery wrote:
>> > Hello dnsmasq community! OSTIF would like to help improve your
>> security
>> > posture!
>> >
>> > I’m Amir from Open Source Technology Improvement Fund, Inc. OSTIF
>> >  is a nonprofit solely dedicated to helping
>> open
>> > source projects improve their security for free.
>> >
>> > We are working with a team of Google engineers and security experts
>> to
>> > help important open source projects like dnsmasq. This includes
>> helping
>> > improve testing, reviewing code, implementing more security tools,
>> and
>> > improving supply chain security.
>> >
>> > Additionally, we understand the time constraints that open source
>> > contributors have, and would like to compensate contributors for
>> their
>> > time working with us.
>> >
>> > We would love to work with you! Please let me know who we should be
>> > talking to and how we can help!
>> >
>> > Thank you in advance for your consideration!
>> >
>> > Best,
>> >
>> > Amir
>> >
>> >
>> > --
>> > *Amir Montazery*
>> > Managing Director
>> > Open Source Technology Improvement Fund
>> > https://ostif.org/ 
>> > https://calendly.com/ostif 
>> >
>> >
>> > ___
>> > zeromq-dev mailing list
>> > zeromq-dev@lists.zeromq.org
>> > https://lists.zeromq.org/mailman/listinfo/zeromq-dev
>> ___
>> zeromq-dev mailing list
>> zeromq-dev@lists.zeromq.org
>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev
>>
> --
> *Amir Montazery*
> Managing Director
> Open Source Technology Improvement Fund
> https://ostif.org/
> https://calendly.com/ostif

Re: [zeromq-dev] Free security help from Google and Open Source Technology Improvement Fund, Inc

2022-10-19 Thread Amir Montazery

Of course, that is understandable. Thank you all for maintaining such an
important project despite your busy schedules! I hope we can find a way to
help make your lives easier.

What we can contribute is a security review by an experienced team to
assess general design review; code quality, defensive programming, and best
practices, as well as opportunities to improve fuzzing. Additional fuzzers
can be built and the team can integrate the project to oss-fuzz for
continuous monitoring of security issues. Based on our experience, when
security teams have a line of contact with the project maintainers, they
can be guided and better utilized to help.

I'm fairly certain that we can provide new fuzzers/test cases and will get
more specific details for you on that.

Thank you!
Amir





On Tue, Oct 18, 2022 at 3:26 PM Luca Boccassi 
wrote:

> Hi,
>
> Thanks for the offer, but let's continue via mail please, we are all very
> busy as-is.
>
> What can you contribute, concretely? I have already set up fuzzing some
> time ago. Can you provide new fuzzers/test cases? If so that would be
> great, just send pull requests to the repository.
>
> On Wed, 12 Oct 2022 at 13:10, Amir Montazery  wrote:
>
>> We can help with whatever the project needs. The intention is to connect
>> the project maintainer(s)/contributor(s) with our security team (made up of
>> security experts and Google Open Source Security engineers) to help where
>> the project needs it most. We can help with bug fixes, security tooling i.e
>> fuzzing and developing fuzzers for the project, CI/CD, and anything else
>> that will help zeromq be more secure!
>>
>> Thankfully we have resources to help and are able to compensate
>> maintainer(s) who participate in the engagement to show our gratitude for
>> your time and efforts.
>>
>> I'd be happy to set up a quick introductory call with anyone interested
>> in learning more.
>>
>> Thank you and have a great day!
>> Amir
>>
>> On Tue, Oct 11, 2022 at 10:05 PM Luca Boccassi 
>> wrote:
>>
>>> Hi,
>>>
>>> What kind of support are you able to provide?
>>>
>>> On Tue, 11 Oct 2022 at 14:30, Amir Montazery  wrote:
>>>
 Yes, I meant zeromq. Thank you Arnaud! That is my mistake.

 That’s great news, we have teams ready to help. Would you be a good
 person to coordinate that with? If anyone else comes to mind to include
 please let me know!

 I would be happy to set up a quick call to meet and discuss how we can
 best be of service to the zeromq project.

 Thank you,
 Amir

 On Tue, Oct 11, 2022 at 1:22 PM Arnaud Loonstra 
 wrote:

> Are you sure you are on the right list? This the zeromq list not
> dnsmasq.
>
> We'd appreciate any help for sure!
>
> Rg,
>
> Arnaud
>
> On 07-10-2022 21:46, Amir Montazery wrote:
> > Hello dnsmasq community! OSTIF would like to help improve your
> security
> > posture!
> >
> > I’m Amir from Open Source Technology Improvement Fund, Inc. OSTIF
> >  is a nonprofit solely dedicated to helping
> open
> > source projects improve their security for free.
> >
> > We are working with a team of Google engineers and security experts
> to
> > help important open source projects like dnsmasq. This includes
> helping
> > improve testing, reviewing code, implementing more security tools,
> and
> > improving supply chain security.
> >
> > Additionally, we understand the time constraints that open source
> > contributors have, and would like to compensate contributors for
> their
> > time working with us.
> >
> > We would love to work with you! Please let me know who we should be
> > talking to and how we can help!
> >
> > Thank you in advance for your consideration!
> >
> > Best,
> >
> > Amir
> >
> >
> > --
> > *Amir Montazery*
> > Managing Director
> > Open Source Technology Improvement Fund
> > https://ostif.org/ 
> > https://calendly.com/ostif 
> >
> >
> > ___
> > zeromq-dev mailing list
> > zeromq-dev@lists.zeromq.org
> > https://lists.zeromq.org/mailman/listinfo/zeromq-dev
> ___
> zeromq-dev mailing list
> zeromq-dev@lists.zeromq.org
> https://lists.zeromq.org/mailman/listinfo/zeromq-dev
>
 --
 *Amir Montazery*
 Managing Director
 Open Source Technology Improvement Fund
 https://ostif.org/
 https://calendly.com/ostif

 ___
 zeromq-dev mailing list
 zeromq-dev@lists.zeromq.org
 https://lists.zeromq.org/mailman/listinfo/zeromq-dev

>>> ___
>>> zeromq-dev mailing list
>>> zeromq-dev@lists.zeromq.org
>>>

Re: [zeromq-dev] Free security help from Google and Open Source Technology Improvement Fund, Inc

2022-10-18 Thread Luca Boccassi

Hi,

Thanks for the offer, but let's continue via mail please, we are all very
busy as-is.

What can you contribute, concretely? I have already set up fuzzing some
time ago. Can you provide new fuzzers/test cases? If so that would be
great, just send pull requests to the repository.

On Wed, 12 Oct 2022 at 13:10, Amir Montazery  wrote:

> We can help with whatever the project needs. The intention is to connect
> the project maintainer(s)/contributor(s) with our security team (made up of
> security experts and Google Open Source Security engineers) to help where
> the project needs it most. We can help with bug fixes, security tooling i.e
> fuzzing and developing fuzzers for the project, CI/CD, and anything else
> that will help zeromq be more secure!
>
> Thankfully we have resources to help and are able to compensate
> maintainer(s) who participate in the engagement to show our gratitude for
> your time and efforts.
>
> I'd be happy to set up a quick introductory call with anyone interested in
> learning more.
>
> Thank you and have a great day!
> Amir
>
> On Tue, Oct 11, 2022 at 10:05 PM Luca Boccassi 
> wrote:
>
>> Hi,
>>
>> What kind of support are you able to provide?
>>
>> On Tue, 11 Oct 2022 at 14:30, Amir Montazery  wrote:
>>
>>> Yes, I meant zeromq. Thank you Arnaud! That is my mistake.
>>>
>>> That’s great news, we have teams ready to help. Would you be a good
>>> person to coordinate that with? If anyone else comes to mind to include
>>> please let me know!
>>>
>>> I would be happy to set up a quick call to meet and discuss how we can
>>> best be of service to the zeromq project.
>>>
>>> Thank you,
>>> Amir
>>>
>>> On Tue, Oct 11, 2022 at 1:22 PM Arnaud Loonstra 
>>> wrote:
>>>
 Are you sure you are on the right list? This the zeromq list not
 dnsmasq.

 We'd appreciate any help for sure!

 Rg,

 Arnaud

 On 07-10-2022 21:46, Amir Montazery wrote:
 > Hello dnsmasq community! OSTIF would like to help improve your
 security
 > posture!
 >
 > I’m Amir from Open Source Technology Improvement Fund, Inc. OSTIF
 >  is a nonprofit solely dedicated to helping open
 > source projects improve their security for free.
 >
 > We are working with a team of Google engineers and security experts
 to
 > help important open source projects like dnsmasq. This includes
 helping
 > improve testing, reviewing code, implementing more security tools,
 and
 > improving supply chain security.
 >
 > Additionally, we understand the time constraints that open source
 > contributors have, and would like to compensate contributors for
 their
 > time working with us.
 >
 > We would love to work with you! Please let me know who we should be
 > talking to and how we can help!
 >
 > Thank you in advance for your consideration!
 >
 > Best,
 >
 > Amir
 >
 >
 > --
 > *Amir Montazery*
 > Managing Director
 > Open Source Technology Improvement Fund
 > https://ostif.org/ 
 > https://calendly.com/ostif 
 >
 >
 > ___
 > zeromq-dev mailing list
 > zeromq-dev@lists.zeromq.org
 > https://lists.zeromq.org/mailman/listinfo/zeromq-dev
 ___
 zeromq-dev mailing list
 zeromq-dev@lists.zeromq.org
 https://lists.zeromq.org/mailman/listinfo/zeromq-dev

>>> --
>>> *Amir Montazery*
>>> Managing Director
>>> Open Source Technology Improvement Fund
>>> https://ostif.org/
>>> https://calendly.com/ostif
>>>
>>> ___
>>> zeromq-dev mailing list
>>> zeromq-dev@lists.zeromq.org
>>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev
>>>
>> ___
>> zeromq-dev mailing list
>> zeromq-dev@lists.zeromq.org
>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev
>>
>
>
> --
> *Amir Montazery*
> Managing Director
> Open Source Technology Improvement Fund
> https://ostif.org/
> https://calendly.com/ostif
>
> ___
> zeromq-dev mailing list
> zeromq-dev@lists.zeromq.org
> https://lists.zeromq.org/mailman/listinfo/zeromq-dev
>
___
zeromq-dev mailing list
zeromq-dev@lists.zeromq.org
https://lists.zeromq.org/mailman/listinfo/zeromq-dev

Re: [zeromq-dev] Free security help from Google and Open Source Technology Improvement Fund, Inc

2022-10-12 Thread Amir Montazery

We can help with whatever the project needs. The intention is to connect
the project maintainer(s)/contributor(s) with our security team (made up of
security experts and Google Open Source Security engineers) to help where
the project needs it most. We can help with bug fixes, security tooling i.e
fuzzing and developing fuzzers for the project, CI/CD, and anything else
that will help zeromq be more secure!

Thankfully we have resources to help and are able to compensate
maintainer(s) who participate in the engagement to show our gratitude for
your time and efforts.

I'd be happy to set up a quick introductory call with anyone interested in
learning more.

Thank you and have a great day!
Amir

On Tue, Oct 11, 2022 at 10:05 PM Luca Boccassi 
wrote:

> Hi,
>
> What kind of support are you able to provide?
>
> On Tue, 11 Oct 2022 at 14:30, Amir Montazery  wrote:
>
>> Yes, I meant zeromq. Thank you Arnaud! That is my mistake.
>>
>> That’s great news, we have teams ready to help. Would you be a good
>> person to coordinate that with? If anyone else comes to mind to include
>> please let me know!
>>
>> I would be happy to set up a quick call to meet and discuss how we can
>> best be of service to the zeromq project.
>>
>> Thank you,
>> Amir
>>
>> On Tue, Oct 11, 2022 at 1:22 PM Arnaud Loonstra 
>> wrote:
>>
>>> Are you sure you are on the right list? This the zeromq list not dnsmasq.
>>>
>>> We'd appreciate any help for sure!
>>>
>>> Rg,
>>>
>>> Arnaud
>>>
>>> On 07-10-2022 21:46, Amir Montazery wrote:
>>> > Hello dnsmasq community! OSTIF would like to help improve your
>>> security
>>> > posture!
>>> >
>>> > I’m Amir from Open Source Technology Improvement Fund, Inc. OSTIF
>>> >  is a nonprofit solely dedicated to helping open
>>> > source projects improve their security for free.
>>> >
>>> > We are working with a team of Google engineers and security experts to
>>> > help important open source projects like dnsmasq. This includes
>>> helping
>>> > improve testing, reviewing code, implementing more security tools, and
>>> > improving supply chain security.
>>> >
>>> > Additionally, we understand the time constraints that open source
>>> > contributors have, and would like to compensate contributors for their
>>> > time working with us.
>>> >
>>> > We would love to work with you! Please let me know who we should be
>>> > talking to and how we can help!
>>> >
>>> > Thank you in advance for your consideration!
>>> >
>>> > Best,
>>> >
>>> > Amir
>>> >
>>> >
>>> > --
>>> > *Amir Montazery*
>>> > Managing Director
>>> > Open Source Technology Improvement Fund
>>> > https://ostif.org/ 
>>> > https://calendly.com/ostif 
>>> >
>>> >
>>> > ___
>>> > zeromq-dev mailing list
>>> > zeromq-dev@lists.zeromq.org
>>> > https://lists.zeromq.org/mailman/listinfo/zeromq-dev
>>> ___
>>> zeromq-dev mailing list
>>> zeromq-dev@lists.zeromq.org
>>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev
>>>
>> --
>> *Amir Montazery*
>> Managing Director
>> Open Source Technology Improvement Fund
>> https://ostif.org/
>> https://calendly.com/ostif
>>
>> ___
>> zeromq-dev mailing list
>> zeromq-dev@lists.zeromq.org
>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev
>>
> ___
> zeromq-dev mailing list
> zeromq-dev@lists.zeromq.org
> https://lists.zeromq.org/mailman/listinfo/zeromq-dev
>


-- 
*Amir Montazery*
Managing Director
Open Source Technology Improvement Fund
https://ostif.org/
https://calendly.com/ostif
___
zeromq-dev mailing list
zeromq-dev@lists.zeromq.org
https://lists.zeromq.org/mailman/listinfo/zeromq-dev

Re: [zeromq-dev] Free security help from Google and Open Source Technology Improvement Fund, Inc

2022-10-11 Thread Luca Boccassi

Hi,

What kind of support are you able to provide?

On Tue, 11 Oct 2022 at 14:30, Amir Montazery  wrote:

> Yes, I meant zeromq. Thank you Arnaud! That is my mistake.
>
> That’s great news, we have teams ready to help. Would you be a good person
> to coordinate that with? If anyone else comes to mind to include please let
> me know!
>
> I would be happy to set up a quick call to meet and discuss how we can
> best be of service to the zeromq project.
>
> Thank you,
> Amir
>
> On Tue, Oct 11, 2022 at 1:22 PM Arnaud Loonstra 
> wrote:
>
>> Are you sure you are on the right list? This the zeromq list not dnsmasq.
>>
>> We'd appreciate any help for sure!
>>
>> Rg,
>>
>> Arnaud
>>
>> On 07-10-2022 21:46, Amir Montazery wrote:
>> > Hello dnsmasq community! OSTIF would like to help improve your security
>> > posture!
>> >
>> > I’m Amir from Open Source Technology Improvement Fund, Inc. OSTIF
>> >  is a nonprofit solely dedicated to helping open
>> > source projects improve their security for free.
>> >
>> > We are working with a team of Google engineers and security experts to
>> > help important open source projects like dnsmasq. This includes helping
>> > improve testing, reviewing code, implementing more security tools, and
>> > improving supply chain security.
>> >
>> > Additionally, we understand the time constraints that open source
>> > contributors have, and would like to compensate contributors for their
>> > time working with us.
>> >
>> > We would love to work with you! Please let me know who we should be
>> > talking to and how we can help!
>> >
>> > Thank you in advance for your consideration!
>> >
>> > Best,
>> >
>> > Amir
>> >
>> >
>> > --
>> > *Amir Montazery*
>> > Managing Director
>> > Open Source Technology Improvement Fund
>> > https://ostif.org/ 
>> > https://calendly.com/ostif 
>> >
>> >
>> > ___
>> > zeromq-dev mailing list
>> > zeromq-dev@lists.zeromq.org
>> > https://lists.zeromq.org/mailman/listinfo/zeromq-dev
>> ___
>> zeromq-dev mailing list
>> zeromq-dev@lists.zeromq.org
>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev
>>
> --
> *Amir Montazery*
> Managing Director
> Open Source Technology Improvement Fund
> https://ostif.org/
> https://calendly.com/ostif
>
> ___
> zeromq-dev mailing list
> zeromq-dev@lists.zeromq.org
> https://lists.zeromq.org/mailman/listinfo/zeromq-dev
>
___
zeromq-dev mailing list
zeromq-dev@lists.zeromq.org
https://lists.zeromq.org/mailman/listinfo/zeromq-dev

Re: [zeromq-dev] Free security help from Google and Open Source Technology Improvement Fund, Inc

2022-10-11 Thread Amir Montazery

Yes, I meant zeromq. Thank you Arnaud! That is my mistake.

That’s great news, we have teams ready to help. Would you be a good person
to coordinate that with? If anyone else comes to mind to include please let
me know!

I would be happy to set up a quick call to meet and discuss how we can best
be of service to the zeromq project.

Thank you,
Amir

On Tue, Oct 11, 2022 at 1:22 PM Arnaud Loonstra  wrote:

> Are you sure you are on the right list? This the zeromq list not dnsmasq.
>
> We'd appreciate any help for sure!
>
> Rg,
>
> Arnaud
>
> On 07-10-2022 21:46, Amir Montazery wrote:
> > Hello dnsmasq community! OSTIF would like to help improve your security
> > posture!
> >
> > I’m Amir from Open Source Technology Improvement Fund, Inc. OSTIF
> >  is a nonprofit solely dedicated to helping open
> > source projects improve their security for free.
> >
> > We are working with a team of Google engineers and security experts to
> > help important open source projects like dnsmasq. This includes helping
> > improve testing, reviewing code, implementing more security tools, and
> > improving supply chain security.
> >
> > Additionally, we understand the time constraints that open source
> > contributors have, and would like to compensate contributors for their
> > time working with us.
> >
> > We would love to work with you! Please let me know who we should be
> > talking to and how we can help!
> >
> > Thank you in advance for your consideration!
> >
> > Best,
> >
> > Amir
> >
> >
> > --
> > *Amir Montazery*
> > Managing Director
> > Open Source Technology Improvement Fund
> > https://ostif.org/ 
> > https://calendly.com/ostif 
> >
> >
> > ___
> > zeromq-dev mailing list
> > zeromq-dev@lists.zeromq.org
> > https://lists.zeromq.org/mailman/listinfo/zeromq-dev
> ___
> zeromq-dev mailing list
> zeromq-dev@lists.zeromq.org
> https://lists.zeromq.org/mailman/listinfo/zeromq-dev
>
-- 
*Amir Montazery*
Managing Director
Open Source Technology Improvement Fund
https://ostif.org/
https://calendly.com/ostif
___
zeromq-dev mailing list
zeromq-dev@lists.zeromq.org
https://lists.zeromq.org/mailman/listinfo/zeromq-dev

Re: [zeromq-dev] Free security help from Google and Open Source Technology Improvement Fund, Inc

2022-10-11 Thread Arnaud Loonstra


Are you sure you are on the right list? This the zeromq list not dnsmasq.

We'd appreciate any help for sure!

Rg,

Arnaud

On 07-10-2022 21:46, Amir Montazery wrote:
Hello dnsmasq community! OSTIF would like to help improve your security 
posture!


I’m Amir from Open Source Technology Improvement Fund, Inc. OSTIF 
 is a nonprofit solely dedicated to helping open 
source projects improve their security for free.


We are working with a team of Google engineers and security experts to 
help important open source projects like dnsmasq. This includes helping 
improve testing, reviewing code, implementing more security tools, and 
improving supply chain security.


Additionally, we understand the time constraints that open source 
contributors have, and would like to compensate contributors for their 
time working with us.


We would love to work with you! Please let me know who we should be 
talking to and how we can help!


Thank you in advance for your consideration!

Best,

Amir


--
*Amir Montazery*
Managing Director
Open Source Technology Improvement Fund
https://ostif.org/ 
https://calendly.com/ostif 


___
zeromq-dev mailing list
zeromq-dev@lists.zeromq.org
https://lists.zeromq.org/mailman/listinfo/zeromq-dev

___
zeromq-dev mailing list
zeromq-dev@lists.zeromq.org
https://lists.zeromq.org/mailman/listinfo/zeromq-dev

Re: [zeromq-dev] Free security help from Google and Open Source Technology Improvement Fund, Inc

Re: [zeromq-dev] Free security help from Google and Open Source Technology Improvement Fund, Inc

Re: [zeromq-dev] Free security help from Google and Open Source Technology Improvement Fund, Inc

Re: [zeromq-dev] Free security help from Google and Open Source Technology Improvement Fund, Inc

Re: [zeromq-dev] Free security help from Google and Open Source Technology Improvement Fund, Inc

Re: [zeromq-dev] Free security help from Google and Open Source Technology Improvement Fund, Inc

Re: [zeromq-dev] Free security help from Google and Open Source Technology Improvement Fund, Inc

Re: [zeromq-dev] Free security help from Google and Open Source Technology Improvement Fund, Inc

Re: [zeromq-dev] Free security help from Google and Open Source Technology Improvement Fund, Inc

Re: [zeromq-dev] Free security help from Google and Open Source Technology Improvement Fund, Inc

Re: [zeromq-dev] Free security help from Google and Open Source Technology Improvement Fund, Inc

Re: [zeromq-dev] Free security help from Google and Open Source Technology Improvement Fund, Inc

Re: [zeromq-dev] Free security help from Google and Open Source Technology Improvement Fund, Inc

Re: [zeromq-dev] Free security help from Google and Open Source Technology Improvement Fund, Inc

Re: [zeromq-dev] Free security help from Google and Open Source Technology Improvement Fund, Inc

Re: [zeromq-dev] Free security help from Google and Open Source Technology Improvement Fund, Inc

Re: [zeromq-dev] Free security help from Google and Open Source Technology Improvement Fund, Inc

Re: [zeromq-dev] Free security help from Google and Open Source Technology Improvement Fund, Inc

18 matches

Site Navigation

Mail list logo

Footer information