You can use every email address (like security@dp), including non-Google e-mail addresses, but they will only receive notifications and will not be able to login to the OSS-Fuzz dashboard at https://oss-fuzz.com/. Adding more e-mail addresses is done by making a PR against OSS-Fuzz and changing the project.yaml file. You can do this; we'll tell the admins who approve the PRs that you have the agency to do this.
I've made an initial PR for Django fuzzers here: https://github.com/google/oss-fuzz/pull/2579 The fuzzers and the corpus are still in a private repo. On Sun, Jul 7, 2019 at 11:14 AM Florian Apolloner <f.apollo...@gmail.com> wrote: > Hi Guido, > > wow. That would be very much appreciated. security@dp is just a google > mailing list I fear. If you added me, would it be possible that I manage > the other email addresses, or would you have to do that all? Also for now > please do not add anyone without my sayso, I'll get in touch with you over > a verified channel, so you can be sure you are giving access to someone > from the security team. > > Thanks, > Florian > > On Saturday, July 6, 2019 at 9:06:42 PM UTC+2, Guido Vranken wrote: >> >> Dear group, >> >> I've built a Django fuzzer that can be used with Google OSS-Fuzz [1]. >> >> The current fuzzer harness calls a host of django.util.* and related >> functions with pseudo-random inputs. Fuzzing these functions can be useful >> to see if any untrusted input can cause slowdowns, hangs, excessive memory >> consumption, or unexpected exceptions. There have been several of such >> issues in recent years (CVE-2018-7537, CVE-2018-7536, CVE-2019-6975 [2]), >> and it is quite likely that my fuzzer would detect these vulnerabilities >> automatically. In addition to these general vulnerability classes, the >> harness can be easily extended to raise a warning on any custom condition. >> >> Are the Django developers interested in OSS-Fuzz integration? If so, I >> will need one or more email addresses linked to a Google account that will >> receive the automated bug reports generated by OSS-Fuzz. Because these >> reports may contain security-sensitive information, it is recommended that >> only developers who ordinarily deal with security reports are included in >> this list. >> >> Guido >> >> [1] https://github.com/google/oss-fuzz >> [2] https://docs.djangoproject.com/en/dev/releases/security/ >> > -- > You received this message because you are subscribed to the Google Groups > "Django developers (Contributions to Django itself)" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to django-developers+unsubscr...@googlegroups.com. > To post to this group, send email to django-developers@googlegroups.com. > Visit this group at https://groups.google.com/group/django-developers. > To view this discussion on the web visit > https://groups.google.com/d/msgid/django-developers/87432798-f1fe-46cc-aad5-4700b896e690%40googlegroups.com > <https://groups.google.com/d/msgid/django-developers/87432798-f1fe-46cc-aad5-4700b896e690%40googlegroups.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at https://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAO5O-EJuW6%2B%2B95C%2B9UH_UTjba2m1kpUgp58Qnq5mytKGar8WNg%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
