For myself, before 4pm or after 7.30pm (UTC) both days On Wed, 16 Nov 2022 at 18:47, Amir Montazery <[email protected]> wrote:
> Thank you! Many of us are in european timezones as well (I myself am based > in Chicago, USA). Is there a time that works best on Monday, December 5th > or Tuesday, December 6th? > > On Tue, Nov 15, 2022 at 5:58 PM Luca Boccassi <[email protected]> > wrote: > >> Sounds great, thank you - most of us are in the european timezones, let >> us know when you have a date/time in mind >> >> On Tue, 15 Nov 2022 at 18:02, Amir Montazery <[email protected]> wrote: >> >>> Thank you to everyone who has helped so far! What we can concretely >>> offer is below under "What you can expect". We totally understand you >>> maintainers are busy so the process is designed to be easy for those who >>> participate. We also have a budget to compensate maintainers who help out >>> directly (that can go to a nonprofit of the project's choice as well). >>> >>> Our first team of security experts is ready to meet the week of December >>> 5th if you'd like to participate. >>> >>> p.s The OSTIF team plans to be in Brussels for fosdem so we hope to see >>> some of you there! >>> >>> Thank you and let me know who would like to participate. >>> >>> - Amir >>> >>> >>> What you can expect >>> >>> Here are what we’re going to do (and need your help with) in a nutshell: >>> >>> - >>> >>> We’ll Perform an Initial Assessment >>> - >>> >>> Meet with you to better understand and ask questions about your >>> package – its architecture, design choices, known issues, and so on >>> - >>> >>> Install Scorecard <https://github.com/ossf/scorecard#overview> if >>> you don’t already have it – this evaluates your environment against a >>> set >>> of SDLC best practices (see https://securityscorecards.dev/ for >>> more info) – and identify opportunities to improve low-scoring checks >>> - >>> >>> Perform a quick code review, get your package to build, check for >>> quality and best practices >>> - >>> >>> Assess whether your package would benefit from fuzzing and is >>> compatible with our OSS-Fuzz <https://google.github.io/oss-fuzz/> >>> offering. >>> - >>> >>> Assess whether your package would benefit from SLSA >>> <https://slsa.dev/> and/or SBOM >>> >>> <https://security.googleblog.com/2022/06/sbom-in-action-finding-vulnerabilities.html>, >>> software supply chain integrity (SSCI) technologies (for example, do >>> your >>> users commonly build from source or consume binaries that you build?) >>> - >>> >>> If Warranted, We’ll Proceed with an In-Depth Review >>> - >>> >>> Perform an targeted code review on your package to identify >>> security vulnerabilities or recommended defense-in-depth fixes >>> - >>> >>> If applicable, integrate your package with the OSS Fuzz offering >>> and tune it to achieve maximum coverage. >>> - >>> >>> Improve eligible Scorecard check scores >>> - >>> >>> Assist you with deploying SLSA and SBOM >>> >>> Here’s what we’ll ask you to do: >>> >>> - >>> >>> During the Initial Assessment >>> - >>> >>> Meet with us and our partners in a “kick-off” meeting where we’ll >>> ask you a number of questions about your package and how it works to >>> build >>> a shared threat model and scope the review >>> - >>> >>> During Our In-Depth Review >>> - >>> >>> Assist us with onboarding your package to OSS-Fuzz if applicable, >>> and you’ll be compensated for doing so >>> - >>> >>> Assist us with improving the Scorecard checks we recommend, and >>> you’ll be compensated for each >>> - >>> >>> Assist us with implementing SLSA and SBOM, if applicable, and >>> you’ll be compensated for doing so >>> - >>> >>> After our In-Depth Review >>> - >>> >>> Review the security vulnerabilities we find (if any) and our >>> recommended defense-in-depth fixes (if any), and remediate each >>> vulnerability within a reasonable timeframe (we’ll work this out with >>> you >>> when the time comes), and you’ll be compensated for each >>> - >>> >>> If applicable, produce a new build that includes all of the >>> improvements made during this process >>> >>> >>> >>> >>> >>> >>> On Mon, Oct 31, 2022 at 11:08 AM Amir Montazery <[email protected]> wrote: >>> >>>> Awesome! Thank you for that Luca. Apologies for the lag, I was in >>>> Detroit last week for KubeCon meeting a number of projects we've done >>>> security engagements with and collecting feedback. >>>> >>>> I hope we can sync soon and discuss opportunities to help out with >>>> zeromq! Our org OSTIF (https://ostif.org/) has been advocating for >>>> providing free help to open source projects for almost 8 years now. We >>>> finally have some resources on our bench to help projects out with their >>>> security needs. I am finalizing what exactly that would look like in the >>>> next week! >>>> >>>> I'll have updates and resources for you soon. In the meantime feel free >>>> to reach out with any questions or feedback. >>>> >>>> Thank you, >>>> Amir >>>> >>>> On Wed, Oct 19, 2022 at 1:39 PM Luca Boccassi <[email protected]> >>>> wrote: >>>> >>>>> Thanks, existing fuzzers are the *_fuzzer.cpp files at: >>>>> https://github.com/zeromq/libzmq/tree/master/tests >>>>> >>>>> On Wed, 19 Oct 2022 at 16:04, Amir Montazery <[email protected]> wrote: >>>>> >>>>>> Of course, that is understandable. Thank you all for maintaining such >>>>>> an important project despite your busy schedules! I hope we can find a >>>>>> way >>>>>> to help make your lives easier. >>>>>> >>>>>> What we can contribute is a security review by an experienced team to >>>>>> assess general design review; code quality, defensive programming, and >>>>>> best >>>>>> practices, as well as opportunities to improve fuzzing. Additional >>>>>> fuzzers >>>>>> can be built and the team can integrate the project to oss-fuzz for >>>>>> continuous monitoring of security issues. Based on our experience, when >>>>>> security teams have a line of contact with the project maintainers, they >>>>>> can be guided and better utilized to help. >>>>>> >>>>>> I'm fairly certain that we can provide new fuzzers/test cases and >>>>>> will get more specific details for you on that. >>>>>> >>>>>> Thank you! >>>>>> Amir >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> On Tue, Oct 18, 2022 at 3:26 PM Luca Boccassi < >>>>>> [email protected]> wrote: >>>>>> >>>>>>> Hi, >>>>>>> >>>>>>> Thanks for the offer, but let's continue via mail please, we are all >>>>>>> very busy as-is. >>>>>>> >>>>>>> What can you contribute, concretely? I have already set up fuzzing >>>>>>> some time ago. Can you provide new fuzzers/test cases? If so that would >>>>>>> be >>>>>>> great, just send pull requests to the repository. >>>>>>> >>>>>>> On Wed, 12 Oct 2022 at 13:10, Amir Montazery <[email protected]> wrote: >>>>>>> >>>>>>>> We can help with whatever the project needs. The intention is to >>>>>>>> connect the project maintainer(s)/contributor(s) with our security team >>>>>>>> (made up of security experts and Google Open Source Security >>>>>>>> engineers) to >>>>>>>> help where the project needs it most. We can help with bug fixes, >>>>>>>> security >>>>>>>> tooling i.e fuzzing and developing fuzzers for the project, CI/CD, and >>>>>>>> anything else that will help zeromq be more secure! >>>>>>>> >>>>>>>> Thankfully we have resources to help and are able to compensate >>>>>>>> maintainer(s) who participate in the engagement to show our gratitude >>>>>>>> for >>>>>>>> your time and efforts. >>>>>>>> >>>>>>>> I'd be happy to set up a quick introductory call with anyone >>>>>>>> interested in learning more. >>>>>>>> >>>>>>>> Thank you and have a great day! >>>>>>>> Amir >>>>>>>> >>>>>>>> On Tue, Oct 11, 2022 at 10:05 PM Luca Boccassi < >>>>>>>> [email protected]> wrote: >>>>>>>> >>>>>>>>> Hi, >>>>>>>>> >>>>>>>>> What kind of support are you able to provide? >>>>>>>>> >>>>>>>>> On Tue, 11 Oct 2022 at 14:30, Amir Montazery <[email protected]> >>>>>>>>> wrote: >>>>>>>>> >>>>>>>>>> Yes, I meant zeromq. Thank you Arnaud! That is my mistake. >>>>>>>>>> >>>>>>>>>> That’s great news, we have teams ready to help. Would you be a >>>>>>>>>> good person to coordinate that with? If anyone else comes to mind to >>>>>>>>>> include please let me know! >>>>>>>>>> >>>>>>>>>> I would be happy to set up a quick call to meet and discuss how >>>>>>>>>> we can best be of service to the zeromq project. >>>>>>>>>> >>>>>>>>>> Thank you, >>>>>>>>>> Amir >>>>>>>>>> >>>>>>>>>> On Tue, Oct 11, 2022 at 1:22 PM Arnaud Loonstra < >>>>>>>>>> [email protected]> wrote: >>>>>>>>>> >>>>>>>>>>> Are you sure you are on the right list? This the zeromq list not >>>>>>>>>>> dnsmasq. >>>>>>>>>>> >>>>>>>>>>> We'd appreciate any help for sure! >>>>>>>>>>> >>>>>>>>>>> Rg, >>>>>>>>>>> >>>>>>>>>>> Arnaud >>>>>>>>>>> >>>>>>>>>>> On 07-10-2022 21:46, Amir Montazery wrote: >>>>>>>>>>> > Hello dnsmasq community! OSTIF would like to help improve your >>>>>>>>>>> security >>>>>>>>>>> > posture! >>>>>>>>>>> > >>>>>>>>>>> > I’m Amir from Open Source Technology Improvement Fund, Inc. >>>>>>>>>>> OSTIF >>>>>>>>>>> > <https://ostif.org/> is a nonprofit solely dedicated to >>>>>>>>>>> helping open >>>>>>>>>>> > source projects improve their security for free. >>>>>>>>>>> > >>>>>>>>>>> > We are working with a team of Google engineers and security >>>>>>>>>>> experts to >>>>>>>>>>> > help important open source projects like dnsmasq. This >>>>>>>>>>> includes helping >>>>>>>>>>> > improve testing, reviewing code, implementing more security >>>>>>>>>>> tools, and >>>>>>>>>>> > improving supply chain security. >>>>>>>>>>> > >>>>>>>>>>> > Additionally, we understand the time constraints that open >>>>>>>>>>> source >>>>>>>>>>> > contributors have, and would like to compensate contributors >>>>>>>>>>> for their >>>>>>>>>>> > time working with us. >>>>>>>>>>> > >>>>>>>>>>> > We would love to work with you! Please let me know who we >>>>>>>>>>> should be >>>>>>>>>>> > talking to and how we can help! >>>>>>>>>>> > >>>>>>>>>>> > Thank you in advance for your consideration! >>>>>>>>>>> > >>>>>>>>>>> > Best, >>>>>>>>>>> > >>>>>>>>>>> > Amir >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>> > -- >>>>>>>>>>> > *Amir Montazery* >>>>>>>>>>> > Managing Director >>>>>>>>>>> > Open Source Technology Improvement Fund >>>>>>>>>>> > https://ostif.org/ <https://ostif.org/> >>>>>>>>>>> > https://calendly.com/ostif <https://calendly.com/ostif> >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>> > _______________________________________________ >>>>>>>>>>> > zeromq-dev mailing list >>>>>>>>>>> > [email protected] >>>>>>>>>>> > https://lists.zeromq.org/mailman/listinfo/zeromq-dev >>>>>>>>>>> _______________________________________________ >>>>>>>>>>> zeromq-dev mailing list >>>>>>>>>>> [email protected] >>>>>>>>>>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev >>>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> *Amir Montazery* >>>>>>>>>> Managing Director >>>>>>>>>> Open Source Technology Improvement Fund >>>>>>>>>> https://ostif.org/ >>>>>>>>>> https://calendly.com/ostif >>>>>>>>>> >>>>>>>>>> _______________________________________________ >>>>>>>>>> zeromq-dev mailing list >>>>>>>>>> [email protected] >>>>>>>>>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev >>>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> zeromq-dev mailing list >>>>>>>>> [email protected] >>>>>>>>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> *Amir Montazery* >>>>>>>> Managing Director >>>>>>>> Open Source Technology Improvement Fund >>>>>>>> https://ostif.org/ >>>>>>>> https://calendly.com/ostif >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> zeromq-dev mailing list >>>>>>>> [email protected] >>>>>>>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev >>>>>>>> >>>>>>> _______________________________________________ >>>>>>> zeromq-dev mailing list >>>>>>> [email protected] >>>>>>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> *Amir Montazery* >>>>>> Managing Director >>>>>> Open Source Technology Improvement Fund >>>>>> https://ostif.org/ >>>>>> https://calendly.com/ostif >>>>>> >>>>>> _______________________________________________ >>>>>> zeromq-dev mailing list >>>>>> [email protected] >>>>>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev >>>>>> >>>>> _______________________________________________ >>>>> zeromq-dev mailing list >>>>> [email protected] >>>>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev >>>>> >>>> >>>> >>>> -- >>>> *Amir Montazery* >>>> Managing Director >>>> Open Source Technology Improvement Fund >>>> https://ostif.org/ >>>> https://calendly.com/ostif >>>> >>>> >>> >>> -- >>> *Amir Montazery* >>> Managing Director >>> Open Source Technology Improvement Fund >>> https://ostif.org/ >>> https://calendly.com/ostif >>> >>> _______________________________________________ >>> zeromq-dev mailing list >>> [email protected] >>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev >>> >> _______________________________________________ >> zeromq-dev mailing list >> [email protected] >> https://lists.zeromq.org/mailman/listinfo/zeromq-dev >> > > > -- > *Amir Montazery* > Managing Director > Open Source Technology Improvement Fund > https://ostif.org/ > https://calendly.com/ostif > > _______________________________________________ > zeromq-dev mailing list > [email protected] > https://lists.zeromq.org/mailman/listinfo/zeromq-dev >
_______________________________________________ zeromq-dev mailing list [email protected] https://lists.zeromq.org/mailman/listinfo/zeromq-dev
