For myself, before 4pm or after 7.30pm (UTC) both days
On Wed, 16 Nov 2022 at 18:47, Amir Montazery <[email protected]
<mailto:[email protected]>> wrote:
Thank you! Many of us are in european timezones as well (I myself am
based in Chicago, USA). Is there a time that works best on Monday,
December 5th or Tuesday, December 6th?
On Tue, Nov 15, 2022 at 5:58 PM Luca Boccassi
<[email protected] <mailto:[email protected]>> wrote:
Sounds great, thank you - most of us are in the european
timezones, let us know when you have a date/time in mind
On Tue, 15 Nov 2022 at 18:02, Amir Montazery <[email protected]
<mailto:[email protected]>> wrote:
Thank you to everyone who has helped so far! What we can
concretely offer is below under "What you can expect". We
totally understand you maintainers are busy so the process
is designed to be easy for those who participate. We also
have a budget to compensate maintainers who help out
directly (that can go to a nonprofit of the project's choice
as well).
Our first team of security experts is ready to meet the week
of December 5th if you'd like to participate.
p.s The OSTIF team plans to be in Brussels for fosdem so we
hope to see some of you there!
Thank you and let me know who would like to participate.
- Amir
What you can expect
Here are what we’re going to do (and need your help with) in
a nutshell:
*
We’ll Perform an Initial Assessment
o
Meet with you to better understand and ask questions
about your package – its architecture, design
choices, known issues, and so on
o
Install Scorecard
<https://github.com/ossf/scorecard#overview>if you
don’t already have it – this evaluates your
environment against a set of SDLC best practices
(see https://securityscorecards.dev/
<https://securityscorecards.dev/>for more info) –
and identify opportunities to improve low-scoring checks
o
Perform a quick code review, get your package to
build, check for quality and best practices
o
Assess whether your package would benefit from
fuzzing and is compatible with our OSS-Fuzz
<https://google.github.io/oss-fuzz/>offering.
o
Assess whether your package would benefit from SLSA
<https://slsa.dev/>and/or SBOM
<https://security.googleblog.com/2022/06/sbom-in-action-finding-vulnerabilities.html>,
software supply chain integrity (SSCI) technologies (for example, do your users
commonly build from source or consume binaries that you build?)
*
If Warranted, We’ll Proceed with an In-Depth Review
o
Perform an targeted code review on your package to
identify security vulnerabilities or recommended
defense-in-depth fixes
o
If applicable, integrate your package with the OSS
Fuzz offering and tune it to achieve maximum coverage.
o
Improve eligible Scorecard check scores
o
Assist you with deploying SLSA and SBOM
Here’s what we’ll ask you to do:
*
During the Initial Assessment
o
Meet with us and our partners in a “kick-off”
meeting where we’ll ask you a number of questions
about your package and how it works to build a
shared threat model and scope the review
*
During Our In-Depth Review
o
Assist us with onboarding your package to OSS-Fuzz
if applicable, and you’ll be compensated for doing so
o
Assist us with improving the Scorecard checks we
recommend, and you’ll be compensated for each
o
Assist us with implementing SLSA and SBOM, if
applicable, and you’ll be compensated for doing so
*
After our In-Depth Review
o
Review the security vulnerabilities we find (if any)
and our recommended defense-in-depth fixes (if any),
and remediate each vulnerability within a reasonable
timeframe (we’ll work this out with you when the
time comes), and you’ll be compensated for each
o
If applicable, produce a new build that includes all
of the improvements made during this process
On Mon, Oct 31, 2022 at 11:08 AM Amir Montazery
<[email protected] <mailto:[email protected]>> wrote:
Awesome! Thank you for that Luca. Apologies for the lag,
I was in Detroit last week for KubeCon meeting a number
of projects we've done security engagements with and
collecting feedback.
I hope we can sync soon and discuss opportunities to
help out with zeromq! Our org OSTIF (https://ostif.org/
<https://ostif.org/>) has been advocating for providing
free help to open source projects for almost 8 years
now. We finally have some resources on our bench to help
projects out with their security needs. I am finalizing
what exactly that would look like in the next week!
I'll have updates and resources for you soon. In the
meantime feel free to reach out with any questions or
feedback.
Thank you,
Amir
On Wed, Oct 19, 2022 at 1:39 PM Luca Boccassi
<[email protected]
<mailto:[email protected]>> wrote:
Thanks, existing fuzzers are the *_fuzzer.cpp files
at:
https://github.com/zeromq/libzmq/tree/master/tests
<https://github.com/zeromq/libzmq/tree/master/tests>
On Wed, 19 Oct 2022 at 16:04, Amir Montazery
<[email protected] <mailto:[email protected]>> wrote:
Of course, that is understandable. Thank you all
for maintaining such an important project
despite your busy schedules! I hope we can find
a way to help make your lives easier.
What we can contribute is a security review by
an experienced team to assess general design
review; code quality, defensive programming, and
best practices, as well as opportunities to
improve fuzzing. Additional fuzzers can be built
and the team can integrate the project to
oss-fuzz for continuous monitoring of security
issues. Based on our experience, when security
teams have a line of contact with the project
maintainers, they can be guided and better
utilized to help.
I'm fairly certain that we can provide new
fuzzers/test cases and will get more specific
details for you on that.
Thank you!
Amir
On Tue, Oct 18, 2022 at 3:26 PM Luca Boccassi
<[email protected]
<mailto:[email protected]>> wrote:
Hi,
Thanks for the offer, but let's continue via
mail please, we are all very busy as-is.
What can you contribute, concretely? I have
already set up fuzzing some time ago. Can
you provide new fuzzers/test cases? If so
that would be great, just send pull requests
to the repository.
On Wed, 12 Oct 2022 at 13:10, Amir Montazery
<[email protected] <mailto:[email protected]>> wrote:
We can help with whatever the project
needs. The intention is to connect the
project maintainer(s)/contributor(s)
with our security team (made up of
security experts and Google Open Source
Security engineers) to help where the
project needs it most. We can help with
bug fixes, security tooling i.e fuzzing
and developing fuzzers for the project,
CI/CD, and anything else that will help
zeromq be more secure!
Thankfully we have resources to help and
are able to compensate maintainer(s) who
participate in the engagement to show
our gratitude for your time and efforts.
I'd be happy to set up a quick
introductory call with anyone interested
in learning more.
Thank you and have a great day!
Amir
On Tue, Oct 11, 2022 at 10:05 PM Luca
Boccassi <[email protected]
<mailto:[email protected]>> wrote:
Hi,
What kind of support are you able to
provide?
On Tue, 11 Oct 2022 at 14:30, Amir
Montazery <[email protected]
<mailto:[email protected]>> wrote:
Yes, I meant zeromq. Thank you
Arnaud! That is my mistake.
That’s great news, we have teams
ready to help. Would you be a
good person to coordinate that
with? If anyone else comes to
mind to include please let me know!
I would be happy to set up a
quick call to meet and discuss
how we can best be of service to
the zeromq project.
Thank you,
Amir
On Tue, Oct 11, 2022 at 1:22 PM
Arnaud Loonstra
<[email protected]
<mailto:[email protected]>> wrote:
Are you sure you are on the
right list? This the zeromq
list not dnsmasq.
We'd appreciate any help for
sure!
Rg,
Arnaud
On 07-10-2022 21:46, Amir
Montazery wrote:
> Hello dnsmasq community!
OSTIF would like to help
improve your security
> posture!
>
> I’m Amir from Open Source
Technology Improvement Fund,
Inc. OSTIF
> <https://ostif.org/
<https://ostif.org/>> is a
nonprofit solely dedicated
to helping open
> source projects improve
their security for free.
>
> We are working with a
team of Google engineers and
security experts to
> help important open
source projects like
dnsmasq. This includes helping
> improve testing,
reviewing code, implementing
more security tools, and
> improving supply chain
security.
>
> Additionally, we
understand the time
constraints that open source
> contributors have, and
would like to compensate
contributors for their
> time working with us.
>
> We would love to work
with you! Please let me know
who we should be
> talking to and how we can
help!
>
> Thank you in advance for
your consideration!
>
> Best,
>
> Amir
>
>
> --
> *Amir Montazery*
> Managing Director
> Open Source Technology
Improvement Fund
> https://ostif.org/
<https://ostif.org/>
<https://ostif.org/
<https://ostif.org/>>
>
https://calendly.com/ostif
<https://calendly.com/ostif>
<https://calendly.com/ostif
<https://calendly.com/ostif>>
>
>
>
_______________________________________________
> zeromq-dev mailing list
>
[email protected]
<mailto:[email protected]>
>
https://lists.zeromq.org/mailman/listinfo/zeromq-dev
<https://lists.zeromq.org/mailman/listinfo/zeromq-dev>
_______________________________________________
zeromq-dev mailing list
[email protected]
<mailto:[email protected]>
https://lists.zeromq.org/mailman/listinfo/zeromq-dev
<https://lists.zeromq.org/mailman/listinfo/zeromq-dev>
--
*Amir Montazery*
Managing Director
Open Source Technology
Improvement Fund
https://ostif.org/
<https://ostif.org/>
https://calendly.com/ostif
<https://calendly.com/ostif>
_______________________________________________
zeromq-dev mailing list
[email protected]
<mailto:[email protected]>
https://lists.zeromq.org/mailman/listinfo/zeromq-dev
<https://lists.zeromq.org/mailman/listinfo/zeromq-dev>
_______________________________________________
zeromq-dev mailing list
[email protected]
<mailto:[email protected]>
https://lists.zeromq.org/mailman/listinfo/zeromq-dev
<https://lists.zeromq.org/mailman/listinfo/zeromq-dev>
--
*Amir Montazery*
Managing Director
Open Source Technology Improvement Fund
https://ostif.org/ <https://ostif.org/>
https://calendly.com/ostif
<https://calendly.com/ostif>
_______________________________________________
zeromq-dev mailing list
[email protected]
<mailto:[email protected]>
https://lists.zeromq.org/mailman/listinfo/zeromq-dev
<https://lists.zeromq.org/mailman/listinfo/zeromq-dev>
_______________________________________________
zeromq-dev mailing list
[email protected]
<mailto:[email protected]>
https://lists.zeromq.org/mailman/listinfo/zeromq-dev
<https://lists.zeromq.org/mailman/listinfo/zeromq-dev>
--
*Amir Montazery*
Managing Director
Open Source Technology Improvement Fund
https://ostif.org/ <https://ostif.org/>
https://calendly.com/ostif
<https://calendly.com/ostif>
_______________________________________________
zeromq-dev mailing list
[email protected]
<mailto:[email protected]>
https://lists.zeromq.org/mailman/listinfo/zeromq-dev
<https://lists.zeromq.org/mailman/listinfo/zeromq-dev>
_______________________________________________
zeromq-dev mailing list
[email protected]
<mailto:[email protected]>
https://lists.zeromq.org/mailman/listinfo/zeromq-dev
<https://lists.zeromq.org/mailman/listinfo/zeromq-dev>
--
*Amir Montazery*
Managing Director
Open Source Technology Improvement Fund
https://ostif.org/ <https://ostif.org/>
https://calendly.com/ostif <https://calendly.com/ostif>
--
*Amir Montazery*
Managing Director
Open Source Technology Improvement Fund
https://ostif.org/ <https://ostif.org/>
https://calendly.com/ostif <https://calendly.com/ostif>
_______________________________________________
zeromq-dev mailing list
[email protected] <mailto:[email protected]>
https://lists.zeromq.org/mailman/listinfo/zeromq-dev
<https://lists.zeromq.org/mailman/listinfo/zeromq-dev>
_______________________________________________
zeromq-dev mailing list
[email protected] <mailto:[email protected]>
https://lists.zeromq.org/mailman/listinfo/zeromq-dev
<https://lists.zeromq.org/mailman/listinfo/zeromq-dev>
--
*Amir Montazery*
Managing Director
Open Source Technology Improvement Fund
https://ostif.org/ <https://ostif.org/>
https://calendly.com/ostif <https://calendly.com/ostif>
_______________________________________________
zeromq-dev mailing list
[email protected] <mailto:[email protected]>
https://lists.zeromq.org/mailman/listinfo/zeromq-dev
<https://lists.zeromq.org/mailman/listinfo/zeromq-dev>
_______________________________________________
zeromq-dev mailing list
[email protected]
https://lists.zeromq.org/mailman/listinfo/zeromq-dev
