Is this strictly for libzmq or can child projects like jeromq get some help as well?
On Tue, Nov 15, 2022 at 1:07 PM Amir Montazery <a...@ostif.org> wrote: > Thank you to everyone who has helped so far! What we can concretely offer > is below under "What you can expect". We totally understand you maintainers > are busy so the process is designed to be easy for those who participate. > We also have a budget to compensate maintainers who help out directly (that > can go to a nonprofit of the project's choice as well). > > Our first team of security experts is ready to meet the week of December > 5th if you'd like to participate. > > p.s The OSTIF team plans to be in Brussels for fosdem so we hope to see > some of you there! > > Thank you and let me know who would like to participate. > > - Amir > > > What you can expect > > Here are what we’re going to do (and need your help with) in a nutshell: > > - > > We’ll Perform an Initial Assessment > - > > Meet with you to better understand and ask questions about your > package – its architecture, design choices, known issues, and so on > - > > Install Scorecard <https://github.com/ossf/scorecard#overview> if > you don’t already have it – this evaluates your environment against a > set > of SDLC best practices (see https://securityscorecards.dev/ for > more info) – and identify opportunities to improve low-scoring checks > - > > Perform a quick code review, get your package to build, check for > quality and best practices > - > > Assess whether your package would benefit from fuzzing and is > compatible with our OSS-Fuzz <https://google.github.io/oss-fuzz/> > offering. > - > > Assess whether your package would benefit from SLSA > <https://slsa.dev/> and/or SBOM > > <https://security.googleblog.com/2022/06/sbom-in-action-finding-vulnerabilities.html>, > software supply chain integrity (SSCI) technologies (for example, do > your > users commonly build from source or consume binaries that you build?) > - > > If Warranted, We’ll Proceed with an In-Depth Review > - > > Perform an targeted code review on your package to identify > security vulnerabilities or recommended defense-in-depth fixes > - > > If applicable, integrate your package with the OSS Fuzz offering > and tune it to achieve maximum coverage. > - > > Improve eligible Scorecard check scores > - > > Assist you with deploying SLSA and SBOM > > Here’s what we’ll ask you to do: > > - > > During the Initial Assessment > - > > Meet with us and our partners in a “kick-off” meeting where we’ll > ask you a number of questions about your package and how it works to > build > a shared threat model and scope the review > - > > During Our In-Depth Review > - > > Assist us with onboarding your package to OSS-Fuzz if applicable, > and you’ll be compensated for doing so > - > > Assist us with improving the Scorecard checks we recommend, and > you’ll be compensated for each > - > > Assist us with implementing SLSA and SBOM, if applicable, and > you’ll be compensated for doing so > - > > After our In-Depth Review > - > > Review the security vulnerabilities we find (if any) and our > recommended defense-in-depth fixes (if any), and remediate each > vulnerability within a reasonable timeframe (we’ll work this out with > you > when the time comes), and you’ll be compensated for each > - > > If applicable, produce a new build that includes all of the > improvements made during this process > > > > > > > On Mon, Oct 31, 2022 at 11:08 AM Amir Montazery <a...@ostif.org> wrote: > >> Awesome! Thank you for that Luca. Apologies for the lag, I was in Detroit >> last week for KubeCon meeting a number of projects we've done security >> engagements with and collecting feedback. >> >> I hope we can sync soon and discuss opportunities to help out with >> zeromq! Our org OSTIF (https://ostif.org/) has been advocating for >> providing free help to open source projects for almost 8 years now. We >> finally have some resources on our bench to help projects out with their >> security needs. I am finalizing what exactly that would look like in the >> next week! >> >> I'll have updates and resources for you soon. In the meantime feel free >> to reach out with any questions or feedback. >> >> Thank you, >> Amir >> >> On Wed, Oct 19, 2022 at 1:39 PM Luca Boccassi <luca.bocca...@gmail.com> >> wrote: >> >>> Thanks, existing fuzzers are the *_fuzzer.cpp files at: >>> https://github.com/zeromq/libzmq/tree/master/tests >>> >>> On Wed, 19 Oct 2022 at 16:04, Amir Montazery <a...@ostif.org> wrote: >>> >>>> Of course, that is understandable. Thank you all for maintaining such >>>> an important project despite your busy schedules! I hope we can find a way >>>> to help make your lives easier. >>>> >>>> What we can contribute is a security review by an experienced team to >>>> assess general design review; code quality, defensive programming, and best >>>> practices, as well as opportunities to improve fuzzing. Additional fuzzers >>>> can be built and the team can integrate the project to oss-fuzz for >>>> continuous monitoring of security issues. Based on our experience, when >>>> security teams have a line of contact with the project maintainers, they >>>> can be guided and better utilized to help. >>>> >>>> I'm fairly certain that we can provide new fuzzers/test cases and will >>>> get more specific details for you on that. >>>> >>>> Thank you! >>>> Amir >>>> >>>> >>>> >>>> >>>> >>>> On Tue, Oct 18, 2022 at 3:26 PM Luca Boccassi <luca.bocca...@gmail.com> >>>> wrote: >>>> >>>>> Hi, >>>>> >>>>> Thanks for the offer, but let's continue via mail please, we are all >>>>> very busy as-is. >>>>> >>>>> What can you contribute, concretely? I have already set up fuzzing >>>>> some time ago. Can you provide new fuzzers/test cases? If so that would be >>>>> great, just send pull requests to the repository. >>>>> >>>>> On Wed, 12 Oct 2022 at 13:10, Amir Montazery <a...@ostif.org> wrote: >>>>> >>>>>> We can help with whatever the project needs. The intention is to >>>>>> connect the project maintainer(s)/contributor(s) with our security team >>>>>> (made up of security experts and Google Open Source Security engineers) >>>>>> to >>>>>> help where the project needs it most. We can help with bug fixes, >>>>>> security >>>>>> tooling i.e fuzzing and developing fuzzers for the project, CI/CD, and >>>>>> anything else that will help zeromq be more secure! >>>>>> >>>>>> Thankfully we have resources to help and are able to compensate >>>>>> maintainer(s) who participate in the engagement to show our gratitude for >>>>>> your time and efforts. >>>>>> >>>>>> I'd be happy to set up a quick introductory call with anyone >>>>>> interested in learning more. >>>>>> >>>>>> Thank you and have a great day! >>>>>> Amir >>>>>> >>>>>> On Tue, Oct 11, 2022 at 10:05 PM Luca Boccassi < >>>>>> luca.bocca...@gmail.com> wrote: >>>>>> >>>>>>> Hi, >>>>>>> >>>>>>> What kind of support are you able to provide? >>>>>>> >>>>>>> On Tue, 11 Oct 2022 at 14:30, Amir Montazery <a...@ostif.org> wrote: >>>>>>> >>>>>>>> Yes, I meant zeromq. Thank you Arnaud! That is my mistake. >>>>>>>> >>>>>>>> That’s great news, we have teams ready to help. Would you be a good >>>>>>>> person to coordinate that with? If anyone else comes to mind to include >>>>>>>> please let me know! >>>>>>>> >>>>>>>> I would be happy to set up a quick call to meet and discuss how we >>>>>>>> can best be of service to the zeromq project. >>>>>>>> >>>>>>>> Thank you, >>>>>>>> Amir >>>>>>>> >>>>>>>> On Tue, Oct 11, 2022 at 1:22 PM Arnaud Loonstra <arn...@sphaero.org> >>>>>>>> wrote: >>>>>>>> >>>>>>>>> Are you sure you are on the right list? This the zeromq list not >>>>>>>>> dnsmasq. >>>>>>>>> >>>>>>>>> We'd appreciate any help for sure! >>>>>>>>> >>>>>>>>> Rg, >>>>>>>>> >>>>>>>>> Arnaud >>>>>>>>> >>>>>>>>> On 07-10-2022 21:46, Amir Montazery wrote: >>>>>>>>> > Hello dnsmasq community! OSTIF would like to help improve your >>>>>>>>> security >>>>>>>>> > posture! >>>>>>>>> > >>>>>>>>> > I’m Amir from Open Source Technology Improvement Fund, Inc. >>>>>>>>> OSTIF >>>>>>>>> > <https://ostif.org/> is a nonprofit solely dedicated to helping >>>>>>>>> open >>>>>>>>> > source projects improve their security for free. >>>>>>>>> > >>>>>>>>> > We are working with a team of Google engineers and security >>>>>>>>> experts to >>>>>>>>> > help important open source projects like dnsmasq. This includes >>>>>>>>> helping >>>>>>>>> > improve testing, reviewing code, implementing more security >>>>>>>>> tools, and >>>>>>>>> > improving supply chain security. >>>>>>>>> > >>>>>>>>> > Additionally, we understand the time constraints that open >>>>>>>>> source >>>>>>>>> > contributors have, and would like to compensate contributors for >>>>>>>>> their >>>>>>>>> > time working with us. >>>>>>>>> > >>>>>>>>> > We would love to work with you! Please let me know who we should >>>>>>>>> be >>>>>>>>> > talking to and how we can help! >>>>>>>>> > >>>>>>>>> > Thank you in advance for your consideration! >>>>>>>>> > >>>>>>>>> > Best, >>>>>>>>> > >>>>>>>>> > Amir >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > -- >>>>>>>>> > *Amir Montazery* >>>>>>>>> > Managing Director >>>>>>>>> > Open Source Technology Improvement Fund >>>>>>>>> > https://ostif.org/ <https://ostif.org/> >>>>>>>>> > https://calendly.com/ostif <https://calendly.com/ostif> >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > _______________________________________________ >>>>>>>>> > zeromq-dev mailing list >>>>>>>>> > zeromq-dev@lists.zeromq.org >>>>>>>>> > https://lists.zeromq.org/mailman/listinfo/zeromq-dev >>>>>>>>> _______________________________________________ >>>>>>>>> zeromq-dev mailing list >>>>>>>>> zeromq-dev@lists.zeromq.org >>>>>>>>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev >>>>>>>>> >>>>>>>> -- >>>>>>>> *Amir Montazery* >>>>>>>> Managing Director >>>>>>>> Open Source Technology Improvement Fund >>>>>>>> https://ostif.org/ >>>>>>>> https://calendly.com/ostif >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> zeromq-dev mailing list >>>>>>>> zeromq-dev@lists.zeromq.org >>>>>>>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev >>>>>>>> >>>>>>> _______________________________________________ >>>>>>> zeromq-dev mailing list >>>>>>> zeromq-dev@lists.zeromq.org >>>>>>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> *Amir Montazery* >>>>>> Managing Director >>>>>> Open Source Technology Improvement Fund >>>>>> https://ostif.org/ >>>>>> https://calendly.com/ostif >>>>>> >>>>>> _______________________________________________ >>>>>> zeromq-dev mailing list >>>>>> zeromq-dev@lists.zeromq.org >>>>>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev >>>>>> >>>>> _______________________________________________ >>>>> zeromq-dev mailing list >>>>> zeromq-dev@lists.zeromq.org >>>>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev >>>>> >>>> >>>> >>>> -- >>>> *Amir Montazery* >>>> Managing Director >>>> Open Source Technology Improvement Fund >>>> https://ostif.org/ >>>> https://calendly.com/ostif >>>> >>>> _______________________________________________ >>>> zeromq-dev mailing list >>>> zeromq-dev@lists.zeromq.org >>>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev >>>> >>> _______________________________________________ >>> zeromq-dev mailing list >>> zeromq-dev@lists.zeromq.org >>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev >>> >> >> >> -- >> *Amir Montazery* >> Managing Director >> Open Source Technology Improvement Fund >> https://ostif.org/ >> https://calendly.com/ostif >> >> > > -- > *Amir Montazery* > Managing Director > Open Source Technology Improvement Fund > https://ostif.org/ > https://calendly.com/ostif > > _______________________________________________ > zeromq-dev mailing list > zeromq-dev@lists.zeromq.org > https://lists.zeromq.org/mailman/listinfo/zeromq-dev >
_______________________________________________ zeromq-dev mailing list zeromq-dev@lists.zeromq.org https://lists.zeromq.org/mailman/listinfo/zeromq-dev
