Thank you for the response Trevor. For the sake of this pilot, we're focusing mainly on libzmq. We have some folks who are very well-versed in C++ ready to go.
On Tue, Nov 15, 2022 at 1:31 PM Trevor Bernard <trevor.bern...@gmail.com> wrote: > Is this strictly for libzmq or can child projects like jeromq get some > help as well? > > On Tue, Nov 15, 2022 at 1:07 PM Amir Montazery <a...@ostif.org> wrote: > >> Thank you to everyone who has helped so far! What we can concretely offer >> is below under "What you can expect". We totally understand you maintainers >> are busy so the process is designed to be easy for those who participate. >> We also have a budget to compensate maintainers who help out directly (that >> can go to a nonprofit of the project's choice as well). >> >> Our first team of security experts is ready to meet the week of December >> 5th if you'd like to participate. >> >> p.s The OSTIF team plans to be in Brussels for fosdem so we hope to see >> some of you there! >> >> Thank you and let me know who would like to participate. >> >> - Amir >> >> >> What you can expect >> >> Here are what we’re going to do (and need your help with) in a nutshell: >> >> - >> >> We’ll Perform an Initial Assessment >> - >> >> Meet with you to better understand and ask questions about your >> package – its architecture, design choices, known issues, and so on >> - >> >> Install Scorecard <https://github.com/ossf/scorecard#overview> if >> you don’t already have it – this evaluates your environment against a >> set >> of SDLC best practices (see https://securityscorecards.dev/ for >> more info) – and identify opportunities to improve low-scoring checks >> - >> >> Perform a quick code review, get your package to build, check for >> quality and best practices >> - >> >> Assess whether your package would benefit from fuzzing and is >> compatible with our OSS-Fuzz <https://google.github.io/oss-fuzz/> >> offering. >> - >> >> Assess whether your package would benefit from SLSA >> <https://slsa.dev/> and/or SBOM >> >> <https://security.googleblog.com/2022/06/sbom-in-action-finding-vulnerabilities.html>, >> software supply chain integrity (SSCI) technologies (for example, do >> your >> users commonly build from source or consume binaries that you build?) >> - >> >> If Warranted, We’ll Proceed with an In-Depth Review >> - >> >> Perform an targeted code review on your package to identify >> security vulnerabilities or recommended defense-in-depth fixes >> - >> >> If applicable, integrate your package with the OSS Fuzz offering >> and tune it to achieve maximum coverage. >> - >> >> Improve eligible Scorecard check scores >> - >> >> Assist you with deploying SLSA and SBOM >> >> Here’s what we’ll ask you to do: >> >> - >> >> During the Initial Assessment >> - >> >> Meet with us and our partners in a “kick-off” meeting where we’ll >> ask you a number of questions about your package and how it works to >> build >> a shared threat model and scope the review >> - >> >> During Our In-Depth Review >> - >> >> Assist us with onboarding your package to OSS-Fuzz if applicable, >> and you’ll be compensated for doing so >> - >> >> Assist us with improving the Scorecard checks we recommend, and >> you’ll be compensated for each >> - >> >> Assist us with implementing SLSA and SBOM, if applicable, and >> you’ll be compensated for doing so >> - >> >> After our In-Depth Review >> - >> >> Review the security vulnerabilities we find (if any) and our >> recommended defense-in-depth fixes (if any), and remediate each >> vulnerability within a reasonable timeframe (we’ll work this out with >> you >> when the time comes), and you’ll be compensated for each >> - >> >> If applicable, produce a new build that includes all of the >> improvements made during this process >> >> >> >> >> >> >> On Mon, Oct 31, 2022 at 11:08 AM Amir Montazery <a...@ostif.org> wrote: >> >>> Awesome! Thank you for that Luca. Apologies for the lag, I was in >>> Detroit last week for KubeCon meeting a number of projects we've done >>> security engagements with and collecting feedback. >>> >>> I hope we can sync soon and discuss opportunities to help out with >>> zeromq! Our org OSTIF (https://ostif.org/) has been advocating for >>> providing free help to open source projects for almost 8 years now. We >>> finally have some resources on our bench to help projects out with their >>> security needs. I am finalizing what exactly that would look like in the >>> next week! >>> >>> I'll have updates and resources for you soon. In the meantime feel free >>> to reach out with any questions or feedback. >>> >>> Thank you, >>> Amir >>> >>> On Wed, Oct 19, 2022 at 1:39 PM Luca Boccassi <luca.bocca...@gmail.com> >>> wrote: >>> >>>> Thanks, existing fuzzers are the *_fuzzer.cpp files at: >>>> https://github.com/zeromq/libzmq/tree/master/tests >>>> >>>> On Wed, 19 Oct 2022 at 16:04, Amir Montazery <a...@ostif.org> wrote: >>>> >>>>> Of course, that is understandable. Thank you all for maintaining such >>>>> an important project despite your busy schedules! I hope we can find a way >>>>> to help make your lives easier. >>>>> >>>>> What we can contribute is a security review by an experienced team to >>>>> assess general design review; code quality, defensive programming, and >>>>> best >>>>> practices, as well as opportunities to improve fuzzing. Additional fuzzers >>>>> can be built and the team can integrate the project to oss-fuzz for >>>>> continuous monitoring of security issues. Based on our experience, when >>>>> security teams have a line of contact with the project maintainers, they >>>>> can be guided and better utilized to help. >>>>> >>>>> I'm fairly certain that we can provide new fuzzers/test cases and will >>>>> get more specific details for you on that. >>>>> >>>>> Thank you! >>>>> Amir >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> On Tue, Oct 18, 2022 at 3:26 PM Luca Boccassi <luca.bocca...@gmail.com> >>>>> wrote: >>>>> >>>>>> Hi, >>>>>> >>>>>> Thanks for the offer, but let's continue via mail please, we are all >>>>>> very busy as-is. >>>>>> >>>>>> What can you contribute, concretely? I have already set up fuzzing >>>>>> some time ago. Can you provide new fuzzers/test cases? If so that would >>>>>> be >>>>>> great, just send pull requests to the repository. >>>>>> >>>>>> On Wed, 12 Oct 2022 at 13:10, Amir Montazery <a...@ostif.org> wrote: >>>>>> >>>>>>> We can help with whatever the project needs. The intention is to >>>>>>> connect the project maintainer(s)/contributor(s) with our security team >>>>>>> (made up of security experts and Google Open Source Security engineers) >>>>>>> to >>>>>>> help where the project needs it most. We can help with bug fixes, >>>>>>> security >>>>>>> tooling i.e fuzzing and developing fuzzers for the project, CI/CD, and >>>>>>> anything else that will help zeromq be more secure! >>>>>>> >>>>>>> Thankfully we have resources to help and are able to compensate >>>>>>> maintainer(s) who participate in the engagement to show our gratitude >>>>>>> for >>>>>>> your time and efforts. >>>>>>> >>>>>>> I'd be happy to set up a quick introductory call with anyone >>>>>>> interested in learning more. >>>>>>> >>>>>>> Thank you and have a great day! >>>>>>> Amir >>>>>>> >>>>>>> On Tue, Oct 11, 2022 at 10:05 PM Luca Boccassi < >>>>>>> luca.bocca...@gmail.com> wrote: >>>>>>> >>>>>>>> Hi, >>>>>>>> >>>>>>>> What kind of support are you able to provide? >>>>>>>> >>>>>>>> On Tue, 11 Oct 2022 at 14:30, Amir Montazery <a...@ostif.org> >>>>>>>> wrote: >>>>>>>> >>>>>>>>> Yes, I meant zeromq. Thank you Arnaud! That is my mistake. >>>>>>>>> >>>>>>>>> That’s great news, we have teams ready to help. Would you be a >>>>>>>>> good person to coordinate that with? If anyone else comes to mind to >>>>>>>>> include please let me know! >>>>>>>>> >>>>>>>>> I would be happy to set up a quick call to meet and discuss how we >>>>>>>>> can best be of service to the zeromq project. >>>>>>>>> >>>>>>>>> Thank you, >>>>>>>>> Amir >>>>>>>>> >>>>>>>>> On Tue, Oct 11, 2022 at 1:22 PM Arnaud Loonstra < >>>>>>>>> arn...@sphaero.org> wrote: >>>>>>>>> >>>>>>>>>> Are you sure you are on the right list? This the zeromq list not >>>>>>>>>> dnsmasq. >>>>>>>>>> >>>>>>>>>> We'd appreciate any help for sure! >>>>>>>>>> >>>>>>>>>> Rg, >>>>>>>>>> >>>>>>>>>> Arnaud >>>>>>>>>> >>>>>>>>>> On 07-10-2022 21:46, Amir Montazery wrote: >>>>>>>>>> > Hello dnsmasq community! OSTIF would like to help improve your >>>>>>>>>> security >>>>>>>>>> > posture! >>>>>>>>>> > >>>>>>>>>> > I’m Amir from Open Source Technology Improvement Fund, Inc. >>>>>>>>>> OSTIF >>>>>>>>>> > <https://ostif.org/> is a nonprofit solely dedicated to >>>>>>>>>> helping open >>>>>>>>>> > source projects improve their security for free. >>>>>>>>>> > >>>>>>>>>> > We are working with a team of Google engineers and security >>>>>>>>>> experts to >>>>>>>>>> > help important open source projects like dnsmasq. This includes >>>>>>>>>> helping >>>>>>>>>> > improve testing, reviewing code, implementing more security >>>>>>>>>> tools, and >>>>>>>>>> > improving supply chain security. >>>>>>>>>> > >>>>>>>>>> > Additionally, we understand the time constraints that open >>>>>>>>>> source >>>>>>>>>> > contributors have, and would like to compensate contributors >>>>>>>>>> for their >>>>>>>>>> > time working with us. >>>>>>>>>> > >>>>>>>>>> > We would love to work with you! Please let me know who we >>>>>>>>>> should be >>>>>>>>>> > talking to and how we can help! >>>>>>>>>> > >>>>>>>>>> > Thank you in advance for your consideration! >>>>>>>>>> > >>>>>>>>>> > Best, >>>>>>>>>> > >>>>>>>>>> > Amir >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > -- >>>>>>>>>> > *Amir Montazery* >>>>>>>>>> > Managing Director >>>>>>>>>> > Open Source Technology Improvement Fund >>>>>>>>>> > https://ostif.org/ <https://ostif.org/> >>>>>>>>>> > https://calendly.com/ostif <https://calendly.com/ostif> >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > _______________________________________________ >>>>>>>>>> > zeromq-dev mailing list >>>>>>>>>> > zeromq-dev@lists.zeromq.org >>>>>>>>>> > https://lists.zeromq.org/mailman/listinfo/zeromq-dev >>>>>>>>>> _______________________________________________ >>>>>>>>>> zeromq-dev mailing list >>>>>>>>>> zeromq-dev@lists.zeromq.org >>>>>>>>>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev >>>>>>>>>> >>>>>>>>> -- >>>>>>>>> *Amir Montazery* >>>>>>>>> Managing Director >>>>>>>>> Open Source Technology Improvement Fund >>>>>>>>> https://ostif.org/ >>>>>>>>> https://calendly.com/ostif >>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> zeromq-dev mailing list >>>>>>>>> zeromq-dev@lists.zeromq.org >>>>>>>>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev >>>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> zeromq-dev mailing list >>>>>>>> zeromq-dev@lists.zeromq.org >>>>>>>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev >>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> *Amir Montazery* >>>>>>> Managing Director >>>>>>> Open Source Technology Improvement Fund >>>>>>> https://ostif.org/ >>>>>>> https://calendly.com/ostif >>>>>>> >>>>>>> _______________________________________________ >>>>>>> zeromq-dev mailing list >>>>>>> zeromq-dev@lists.zeromq.org >>>>>>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev >>>>>>> >>>>>> _______________________________________________ >>>>>> zeromq-dev mailing list >>>>>> zeromq-dev@lists.zeromq.org >>>>>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev >>>>>> >>>>> >>>>> >>>>> -- >>>>> *Amir Montazery* >>>>> Managing Director >>>>> Open Source Technology Improvement Fund >>>>> https://ostif.org/ >>>>> https://calendly.com/ostif >>>>> >>>>> _______________________________________________ >>>>> zeromq-dev mailing list >>>>> zeromq-dev@lists.zeromq.org >>>>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev >>>>> >>>> _______________________________________________ >>>> zeromq-dev mailing list >>>> zeromq-dev@lists.zeromq.org >>>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev >>>> >>> >>> >>> -- >>> *Amir Montazery* >>> Managing Director >>> Open Source Technology Improvement Fund >>> https://ostif.org/ >>> https://calendly.com/ostif >>> >>> >> >> -- >> *Amir Montazery* >> Managing Director >> Open Source Technology Improvement Fund >> https://ostif.org/ >> https://calendly.com/ostif >> >> _______________________________________________ >> zeromq-dev mailing list >> zeromq-dev@lists.zeromq.org >> https://lists.zeromq.org/mailman/listinfo/zeromq-dev >> > _______________________________________________ > zeromq-dev mailing list > zeromq-dev@lists.zeromq.org > https://lists.zeromq.org/mailman/listinfo/zeromq-dev > -- *Amir Montazery* Managing Director Open Source Technology Improvement Fund https://ostif.org/ https://calendly.com/ostif
_______________________________________________ zeromq-dev mailing list zeromq-dev@lists.zeromq.org https://lists.zeromq.org/mailman/listinfo/zeromq-dev