Awesome! Thank you for that Luca. Apologies for the lag, I was in Detroit last week for KubeCon meeting a number of projects we've done security engagements with and collecting feedback.
I hope we can sync soon and discuss opportunities to help out with zeromq! Our org OSTIF (https://ostif.org/) has been advocating for providing free help to open source projects for almost 8 years now. We finally have some resources on our bench to help projects out with their security needs. I am finalizing what exactly that would look like in the next week! I'll have updates and resources for you soon. In the meantime feel free to reach out with any questions or feedback. Thank you, Amir On Wed, Oct 19, 2022 at 1:39 PM Luca Boccassi <luca.bocca...@gmail.com> wrote: > Thanks, existing fuzzers are the *_fuzzer.cpp files at: > https://github.com/zeromq/libzmq/tree/master/tests > > On Wed, 19 Oct 2022 at 16:04, Amir Montazery <a...@ostif.org> wrote: > >> Of course, that is understandable. Thank you all for maintaining such an >> important project despite your busy schedules! I hope we can find a way to >> help make your lives easier. >> >> What we can contribute is a security review by an experienced team to >> assess general design review; code quality, defensive programming, and best >> practices, as well as opportunities to improve fuzzing. Additional fuzzers >> can be built and the team can integrate the project to oss-fuzz for >> continuous monitoring of security issues. Based on our experience, when >> security teams have a line of contact with the project maintainers, they >> can be guided and better utilized to help. >> >> I'm fairly certain that we can provide new fuzzers/test cases and will >> get more specific details for you on that. >> >> Thank you! >> Amir >> >> >> >> >> >> On Tue, Oct 18, 2022 at 3:26 PM Luca Boccassi <luca.bocca...@gmail.com> >> wrote: >> >>> Hi, >>> >>> Thanks for the offer, but let's continue via mail please, we are all >>> very busy as-is. >>> >>> What can you contribute, concretely? I have already set up fuzzing some >>> time ago. Can you provide new fuzzers/test cases? If so that would be >>> great, just send pull requests to the repository. >>> >>> On Wed, 12 Oct 2022 at 13:10, Amir Montazery <a...@ostif.org> wrote: >>> >>>> We can help with whatever the project needs. The intention is to >>>> connect the project maintainer(s)/contributor(s) with our security team >>>> (made up of security experts and Google Open Source Security engineers) to >>>> help where the project needs it most. We can help with bug fixes, security >>>> tooling i.e fuzzing and developing fuzzers for the project, CI/CD, and >>>> anything else that will help zeromq be more secure! >>>> >>>> Thankfully we have resources to help and are able to compensate >>>> maintainer(s) who participate in the engagement to show our gratitude for >>>> your time and efforts. >>>> >>>> I'd be happy to set up a quick introductory call with anyone interested >>>> in learning more. >>>> >>>> Thank you and have a great day! >>>> Amir >>>> >>>> On Tue, Oct 11, 2022 at 10:05 PM Luca Boccassi <luca.bocca...@gmail.com> >>>> wrote: >>>> >>>>> Hi, >>>>> >>>>> What kind of support are you able to provide? >>>>> >>>>> On Tue, 11 Oct 2022 at 14:30, Amir Montazery <a...@ostif.org> wrote: >>>>> >>>>>> Yes, I meant zeromq. Thank you Arnaud! That is my mistake. >>>>>> >>>>>> That’s great news, we have teams ready to help. Would you be a good >>>>>> person to coordinate that with? If anyone else comes to mind to include >>>>>> please let me know! >>>>>> >>>>>> I would be happy to set up a quick call to meet and discuss how we >>>>>> can best be of service to the zeromq project. >>>>>> >>>>>> Thank you, >>>>>> Amir >>>>>> >>>>>> On Tue, Oct 11, 2022 at 1:22 PM Arnaud Loonstra <arn...@sphaero.org> >>>>>> wrote: >>>>>> >>>>>>> Are you sure you are on the right list? This the zeromq list not >>>>>>> dnsmasq. >>>>>>> >>>>>>> We'd appreciate any help for sure! >>>>>>> >>>>>>> Rg, >>>>>>> >>>>>>> Arnaud >>>>>>> >>>>>>> On 07-10-2022 21:46, Amir Montazery wrote: >>>>>>> > Hello dnsmasq community! OSTIF would like to help improve your >>>>>>> security >>>>>>> > posture! >>>>>>> > >>>>>>> > I’m Amir from Open Source Technology Improvement Fund, Inc. OSTIF >>>>>>> > <https://ostif.org/> is a nonprofit solely dedicated to helping >>>>>>> open >>>>>>> > source projects improve their security for free. >>>>>>> > >>>>>>> > We are working with a team of Google engineers and security >>>>>>> experts to >>>>>>> > help important open source projects like dnsmasq. This includes >>>>>>> helping >>>>>>> > improve testing, reviewing code, implementing more security tools, >>>>>>> and >>>>>>> > improving supply chain security. >>>>>>> > >>>>>>> > Additionally, we understand the time constraints that open source >>>>>>> > contributors have, and would like to compensate contributors for >>>>>>> their >>>>>>> > time working with us. >>>>>>> > >>>>>>> > We would love to work with you! Please let me know who we should >>>>>>> be >>>>>>> > talking to and how we can help! >>>>>>> > >>>>>>> > Thank you in advance for your consideration! >>>>>>> > >>>>>>> > Best, >>>>>>> > >>>>>>> > Amir >>>>>>> > >>>>>>> > >>>>>>> > -- >>>>>>> > *Amir Montazery* >>>>>>> > Managing Director >>>>>>> > Open Source Technology Improvement Fund >>>>>>> > https://ostif.org/ <https://ostif.org/> >>>>>>> > https://calendly.com/ostif <https://calendly.com/ostif> >>>>>>> > >>>>>>> > >>>>>>> > _______________________________________________ >>>>>>> > zeromq-dev mailing list >>>>>>> > zeromq-dev@lists.zeromq.org >>>>>>> > https://lists.zeromq.org/mailman/listinfo/zeromq-dev >>>>>>> _______________________________________________ >>>>>>> zeromq-dev mailing list >>>>>>> zeromq-dev@lists.zeromq.org >>>>>>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev >>>>>>> >>>>>> -- >>>>>> *Amir Montazery* >>>>>> Managing Director >>>>>> Open Source Technology Improvement Fund >>>>>> https://ostif.org/ >>>>>> https://calendly.com/ostif >>>>>> >>>>>> _______________________________________________ >>>>>> zeromq-dev mailing list >>>>>> zeromq-dev@lists.zeromq.org >>>>>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev >>>>>> >>>>> _______________________________________________ >>>>> zeromq-dev mailing list >>>>> zeromq-dev@lists.zeromq.org >>>>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev >>>>> >>>> >>>> >>>> -- >>>> *Amir Montazery* >>>> Managing Director >>>> Open Source Technology Improvement Fund >>>> https://ostif.org/ >>>> https://calendly.com/ostif >>>> >>>> _______________________________________________ >>>> zeromq-dev mailing list >>>> zeromq-dev@lists.zeromq.org >>>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev >>>> >>> _______________________________________________ >>> zeromq-dev mailing list >>> zeromq-dev@lists.zeromq.org >>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev >>> >> >> >> -- >> *Amir Montazery* >> Managing Director >> Open Source Technology Improvement Fund >> https://ostif.org/ >> https://calendly.com/ostif >> >> _______________________________________________ >> zeromq-dev mailing list >> zeromq-dev@lists.zeromq.org >> https://lists.zeromq.org/mailman/listinfo/zeromq-dev >> > _______________________________________________ > zeromq-dev mailing list > zeromq-dev@lists.zeromq.org > https://lists.zeromq.org/mailman/listinfo/zeromq-dev > -- *Amir Montazery* Managing Director Open Source Technology Improvement Fund https://ostif.org/ https://calendly.com/ostif
_______________________________________________ zeromq-dev mailing list zeromq-dev@lists.zeromq.org https://lists.zeromq.org/mailman/listinfo/zeromq-dev
