Thank you! How does 3pm UTC on 6th December look? Thanks again, Amir
On Wed, Nov 16, 2022 at 1:23 PM Arnaud Loonstra <[email protected]> wrote: > Before 4pm UTC suits me as well, both days. I prefer the 6th. > > Rg, > > Arnaud > > On 16-11-2022 20:12, Luca Boccassi wrote: > > For myself, before 4pm or after 7.30pm (UTC) both days > > > > On Wed, 16 Nov 2022 at 18:47, Amir Montazery <[email protected] > > <mailto:[email protected]>> wrote: > > > > Thank you! Many of us are in european timezones as well (I myself am > > based in Chicago, USA). Is there a time that works best on Monday, > > December 5th or Tuesday, December 6th? > > > > On Tue, Nov 15, 2022 at 5:58 PM Luca Boccassi > > <[email protected] <mailto:[email protected]>> wrote: > > > > Sounds great, thank you - most of us are in the european > > timezones, let us know when you have a date/time in mind > > > > On Tue, 15 Nov 2022 at 18:02, Amir Montazery <[email protected] > > <mailto:[email protected]>> wrote: > > > > Thank you to everyone who has helped so far! What we can > > concretely offer is below under "What you can expect". We > > totally understand you maintainers are busy so the process > > is designed to be easy for those who participate. We also > > have a budget to compensate maintainers who help out > > directly (that can go to a nonprofit of the project's choice > > as well). > > > > Our first team of security experts is ready to meet the week > > of December 5th if you'd like to participate. > > > > p.s The OSTIF team plans to be in Brussels for fosdem so we > > hope to see some of you there! > > > > Thank you and let me know who would like to participate. > > > > - Amir > > > > > > What you can expect > > > > Here are what we’re going to do (and need your help with) in > > a nutshell: > > > > * > > > > We’ll Perform an Initial Assessment > > > > o > > > > Meet with you to better understand and ask questions > > about your package – its architecture, design > > choices, known issues, and so on > > > > o > > > > Install Scorecard > > <https://github.com/ossf/scorecard#overview>if you > > don’t already have it – this evaluates your > > environment against a set of SDLC best practices > > (see https://securityscorecards.dev/ > > <https://securityscorecards.dev/>for more info) – > > and identify opportunities to improve low-scoring > checks > > > > o > > > > Perform a quick code review, get your package to > > build, check for quality and best practices > > > > o > > > > Assess whether your package would benefit from > > fuzzing and is compatible with our OSS-Fuzz > > <https://google.github.io/oss-fuzz/>offering. > > > > o > > > > Assess whether your package would benefit from SLSA > > <https://slsa.dev/>and/or SBOM > > < > https://security.googleblog.com/2022/06/sbom-in-action-finding-vulnerabilities.html>, > software supply chain integrity (SSCI) technologies (for example, do your > users commonly build from source or consume binaries that you build?) > > > > * > > > > If Warranted, We’ll Proceed with an In-Depth Review > > > > o > > > > Perform an targeted code review on your package to > > identify security vulnerabilities or recommended > > defense-in-depth fixes > > > > o > > > > If applicable, integrate your package with the OSS > > Fuzz offering and tune it to achieve maximum > coverage. > > > > o > > > > Improve eligible Scorecard check scores > > > > o > > > > Assist you with deploying SLSA and SBOM > > > > Here’s what we’ll ask you to do: > > > > * > > > > During the Initial Assessment > > > > o > > > > Meet with us and our partners in a “kick-off” > > meeting where we’ll ask you a number of questions > > about your package and how it works to build a > > shared threat model and scope the review > > > > * > > > > During Our In-Depth Review > > > > o > > > > Assist us with onboarding your package to OSS-Fuzz > > if applicable, and you’ll be compensated for doing so > > > > o > > > > Assist us with improving the Scorecard checks we > > recommend, and you’ll be compensated for each > > > > o > > > > Assist us with implementing SLSA and SBOM, if > > applicable, and you’ll be compensated for doing so > > > > * > > > > After our In-Depth Review > > > > o > > > > Review the security vulnerabilities we find (if any) > > and our recommended defense-in-depth fixes (if any), > > and remediate each vulnerability within a reasonable > > timeframe (we’ll work this out with you when the > > time comes), and you’ll be compensated for each > > > > o > > > > If applicable, produce a new build that includes all > > of the improvements made during this process > > > > > > > > > > > > > > On Mon, Oct 31, 2022 at 11:08 AM Amir Montazery > > <[email protected] <mailto:[email protected]>> wrote: > > > > Awesome! Thank you for that Luca. Apologies for the lag, > > I was in Detroit last week for KubeCon meeting a number > > of projects we've done security engagements with and > > collecting feedback. > > > > I hope we can sync soon and discuss opportunities to > > help out with zeromq! Our org OSTIF (https://ostif.org/ > > <https://ostif.org/>) has been advocating for providing > > free help to open source projects for almost 8 years > > now. We finally have some resources on our bench to help > > projects out with their security needs. I am finalizing > > what exactly that would look like in the next week! > > > > I'll have updates and resources for you soon. In the > > meantime feel free to reach out with any questions or > > feedback. > > > > Thank you, > > Amir > > > > On Wed, Oct 19, 2022 at 1:39 PM Luca Boccassi > > <[email protected] > > <mailto:[email protected]>> wrote: > > > > Thanks, existing fuzzers are the *_fuzzer.cpp files > > at: > > https://github.com/zeromq/libzmq/tree/master/tests > > <https://github.com/zeromq/libzmq/tree/master/tests> > > > > On Wed, 19 Oct 2022 at 16:04, Amir Montazery > > <[email protected] <mailto:[email protected]>> wrote: > > > > Of course, that is understandable. Thank you all > > for maintaining such an important project > > despite your busy schedules! I hope we can find > > a way to help make your lives easier. > > > > What we can contribute is a security review by > > an experienced team to assess general design > > review; code quality, defensive programming, and > > best practices, as well as opportunities to > > improve fuzzing. Additional fuzzers can be built > > and the team can integrate the project to > > oss-fuzz for continuous monitoring of security > > issues. Based on our experience, when security > > teams have a line of contact with the project > > maintainers, they can be guided and better > > utilized to help. > > > > I'm fairly certain that we can provide new > > fuzzers/test cases and will get more specific > > details for you on that. > > > > Thank you! > > Amir > > > > > > > > > > > > On Tue, Oct 18, 2022 at 3:26 PM Luca Boccassi > > <[email protected] > > <mailto:[email protected]>> wrote: > > > > Hi, > > > > Thanks for the offer, but let's continue via > > mail please, we are all very busy as-is. > > > > What can you contribute, concretely? I have > > already set up fuzzing some time ago. Can > > you provide new fuzzers/test cases? If so > > that would be great, just send pull requests > > to the repository. > > > > On Wed, 12 Oct 2022 at 13:10, Amir Montazery > > <[email protected] <mailto:[email protected]>> > wrote: > > > > We can help with whatever the project > > needs. The intention is to connect the > > project maintainer(s)/contributor(s) > > with our security team (made up of > > security experts and Google Open Source > > Security engineers) to help where the > > project needs it most. We can help with > > bug fixes, security tooling i.e fuzzing > > and developing fuzzers for the project, > > CI/CD, and anything else that will help > > zeromq be more secure! > > > > Thankfully we have resources to help and > > are able to compensate maintainer(s) who > > participate in the engagement to show > > our gratitude for your time and efforts. > > > > I'd be happy to set up a quick > > introductory call with anyone interested > > in learning more. > > > > Thank you and have a great day! > > Amir > > > > On Tue, Oct 11, 2022 at 10:05 PM Luca > > Boccassi <[email protected] > > <mailto:[email protected]>> wrote: > > > > Hi, > > > > What kind of support are you able to > > provide? > > > > On Tue, 11 Oct 2022 at 14:30, Amir > > Montazery <[email protected] > > <mailto:[email protected]>> wrote: > > > > Yes, I meant zeromq. Thank you > > Arnaud! That is my mistake. > > > > That’s great news, we have teams > > ready to help. Would you be a > > good person to coordinate that > > with? If anyone else comes to > > mind to include please let me > know! > > > > I would be happy to set up a > > quick call to meet and discuss > > how we can best be of service to > > the zeromq project. > > > > Thank you, > > Amir > > > > On Tue, Oct 11, 2022 at 1:22 PM > > Arnaud Loonstra > > <[email protected] > > <mailto:[email protected]>> > wrote: > > > > Are you sure you are on the > > right list? This the zeromq > > list not dnsmasq. > > > > We'd appreciate any help for > > sure! > > > > Rg, > > > > Arnaud > > > > On 07-10-2022 21:46, Amir > > Montazery wrote: > > > Hello dnsmasq community! > > OSTIF would like to help > > improve your security > > > posture! > > > > > > I’m Amir from Open Source > > Technology Improvement Fund, > > Inc. OSTIF > > > <https://ostif.org/ > > <https://ostif.org/>> is a > > nonprofit solely dedicated > > to helping open > > > source projects improve > > their security for free. > > > > > > We are working with a > > team of Google engineers and > > security experts to > > > help important open > > source projects like > > dnsmasq. This includes > helping > > > improve testing, > > reviewing code, implementing > > more security tools, and > > > improving supply chain > > security. > > > > > > Additionally, we > > understand the time > > constraints that open source > > > contributors have, and > > would like to compensate > > contributors for their > > > time working with us. > > > > > > We would love to work > > with you! Please let me know > > who we should be > > > talking to and how we can > > help! > > > > > > Thank you in advance for > > your consideration! > > > > > > Best, > > > > > > Amir > > > > > > > > > -- > > > *Amir Montazery* > > > Managing Director > > > Open Source Technology > > Improvement Fund > > > https://ostif.org/ > > <https://ostif.org/> > > <https://ostif.org/ > > <https://ostif.org/>> > > > > > https://calendly.com/ostif > > <https://calendly.com/ostif> > > <https://calendly.com/ostif > > <https://calendly.com/ostif > >> > > > > > > > > > > > > _______________________________________________ > > > zeromq-dev mailing list > > > > > [email protected] > > <mailto: > [email protected]> > > > > > > https://lists.zeromq.org/mailman/listinfo/zeromq-dev < > https://lists.zeromq.org/mailman/listinfo/zeromq-dev> > > > _______________________________________________ > > zeromq-dev mailing list > > [email protected] > > <mailto: > [email protected]> > > > https://lists.zeromq.org/mailman/listinfo/zeromq-dev < > https://lists.zeromq.org/mailman/listinfo/zeromq-dev> > > > > -- > > *Amir Montazery* > > Managing Director > > Open Source Technology > > Improvement Fund > > https://ostif.org/ > > <https://ostif.org/> > > https://calendly.com/ostif > > <https://calendly.com/ostif> > > > > > _______________________________________________ > > zeromq-dev mailing list > > [email protected] > > <mailto: > [email protected]> > > > https://lists.zeromq.org/mailman/listinfo/zeromq-dev < > https://lists.zeromq.org/mailman/listinfo/zeromq-dev> > > > > > _______________________________________________ > > zeromq-dev mailing list > > [email protected] > > <mailto:[email protected]> > > > https://lists.zeromq.org/mailman/listinfo/zeromq-dev < > https://lists.zeromq.org/mailman/listinfo/zeromq-dev> > > > > > > > > -- > > *Amir Montazery* > > Managing Director > > Open Source Technology Improvement Fund > > https://ostif.org/ <https://ostif.org/> > > https://calendly.com/ostif > > <https://calendly.com/ostif> > > > > > _______________________________________________ > > zeromq-dev mailing list > > [email protected] > > <mailto:[email protected]> > > > https://lists.zeromq.org/mailman/listinfo/zeromq-dev < > https://lists.zeromq.org/mailman/listinfo/zeromq-dev> > > > > > _______________________________________________ > > zeromq-dev mailing list > > [email protected] > > <mailto:[email protected]> > > > https://lists.zeromq.org/mailman/listinfo/zeromq-dev < > https://lists.zeromq.org/mailman/listinfo/zeromq-dev> > > > > > > > > -- > > *Amir Montazery* > > Managing Director > > Open Source Technology Improvement Fund > > https://ostif.org/ <https://ostif.org/> > > https://calendly.com/ostif > > <https://calendly.com/ostif> > > > > _______________________________________________ > > zeromq-dev mailing list > > [email protected] > > <mailto:[email protected]> > > > https://lists.zeromq.org/mailman/listinfo/zeromq-dev < > https://lists.zeromq.org/mailman/listinfo/zeromq-dev> > > > > _______________________________________________ > > zeromq-dev mailing list > > [email protected] > > <mailto:[email protected]> > > https://lists.zeromq.org/mailman/listinfo/zeromq-dev > > < > https://lists.zeromq.org/mailman/listinfo/zeromq-dev> > > > > > > > > -- > > *Amir Montazery* > > Managing Director > > Open Source Technology Improvement Fund > > https://ostif.org/ <https://ostif.org/> > > https://calendly.com/ostif <https://calendly.com/ostif> > > > > > > > > -- > > *Amir Montazery* > > Managing Director > > Open Source Technology Improvement Fund > > https://ostif.org/ <https://ostif.org/> > > https://calendly.com/ostif <https://calendly.com/ostif> > > > > _______________________________________________ > > zeromq-dev mailing list > > [email protected] <mailto: > [email protected]> > > https://lists.zeromq.org/mailman/listinfo/zeromq-dev > > <https://lists.zeromq.org/mailman/listinfo/zeromq-dev> > > > > _______________________________________________ > > zeromq-dev mailing list > > [email protected] <mailto:[email protected]> > > https://lists.zeromq.org/mailman/listinfo/zeromq-dev > > <https://lists.zeromq.org/mailman/listinfo/zeromq-dev> > > > > > > > > -- > > *Amir Montazery* > > Managing Director > > Open Source Technology Improvement Fund > > https://ostif.org/ <https://ostif.org/> > > https://calendly.com/ostif <https://calendly.com/ostif> > > > > _______________________________________________ > > zeromq-dev mailing list > > [email protected] <mailto:[email protected]> > > https://lists.zeromq.org/mailman/listinfo/zeromq-dev > > <https://lists.zeromq.org/mailman/listinfo/zeromq-dev> > > > > > > _______________________________________________ > > zeromq-dev mailing list > > [email protected] > > https://lists.zeromq.org/mailman/listinfo/zeromq-dev > _______________________________________________ > zeromq-dev mailing list > [email protected] > https://lists.zeromq.org/mailman/listinfo/zeromq-dev > -- *Amir Montazery* Managing Director Open Source Technology Improvement Fund https://ostif.org/ https://calendly.com/ostif
_______________________________________________ zeromq-dev mailing list [email protected] https://lists.zeromq.org/mailman/listinfo/zeromq-dev
