Sounds great. How about mentioning this program on the Security Process web page [1]? Hackers who report vulnerabilities may be interested in fixing bugs.
Just curious. Why didn't those bugs [2] get fixed before disclosure? It seems SD and virtio-9p are maintained now. [1] https://www.qemu.org/contribute/security-process/ [2] https://bugs.chromium.org/p/oss-fuzz/issues/list?sort=-reported&q=Type%3DBug-Security%20label%3ADeadline-Exceeded%20qemu&can=2 ________________________________ From: Alexander Bulekov <[email protected]> Sent: Thursday, October 28, 2021 22:48 To: [email protected] <[email protected]> Cc: Paolo Bonzini <[email protected]>; Bandan Das <[email protected]>; Stefan Hajnoczi <[email protected]>; Thomas Huth <[email protected]>; Darren Kenny <[email protected]>; Qiuhao Li <[email protected]> Subject: Possible reward for fuzzer bug fixes? Secure Open Source Rewards Program Recently a pilot for the Secure Open Source Rewards program was announced [1]. Currently this program is run by the Linux Foundation and sponsored by the Google Open Source Security Team. The page mentions that patches for issues discovered by OSS-Fuzz may be eligible for rewards. This seems like it could be a good incentive for fixing fuzzer bugs. A couple notes: * The program also rewards contributions besides fuzzer-bug fixes. Check out the page for full details. * It seems that QEMU would qualify for this program. The page mentions that the project should have a greater than 0.6 OpenSSF Criticality Score [2]. This score factors in statistics collected from github (sic!). QEMU's score is currently 0.81078 * Not limited to individual contributors. Vendors can also qualify for rewards. * Work completed before Oct 1, 2021 does not qualify. * Individuals in some sanctioned countries are not eligible. * The process seems to be: 1. Send a fix upstream 2. Get it accepted 3. Fill out a form to apply for a reward Any thoughts about this? Should this be something we document/advertise somewhere, so developers are aware of this opportunity? [1] https://sos.dev/ [2] https://github.com/ossf/criticality_score -Alex
