Sounds good for me, thank you On Thu, 17 Nov 2022 at 16:36, Amir Montazery <[email protected]> wrote:
> Thank you! How does 3pm UTC on 6th December look? > > Thanks again, > Amir > > On Wed, Nov 16, 2022 at 1:23 PM Arnaud Loonstra <[email protected]> > wrote: > >> Before 4pm UTC suits me as well, both days. I prefer the 6th. >> >> Rg, >> >> Arnaud >> >> On 16-11-2022 20:12, Luca Boccassi wrote: >> > For myself, before 4pm or after 7.30pm (UTC) both days >> > >> > On Wed, 16 Nov 2022 at 18:47, Amir Montazery <[email protected] >> > <mailto:[email protected]>> wrote: >> > >> > Thank you! Many of us are in european timezones as well (I myself am >> > based in Chicago, USA). Is there a time that works best on Monday, >> > December 5th or Tuesday, December 6th? >> > >> > On Tue, Nov 15, 2022 at 5:58 PM Luca Boccassi >> > <[email protected] <mailto:[email protected]>> wrote: >> > >> > Sounds great, thank you - most of us are in the european >> > timezones, let us know when you have a date/time in mind >> > >> > On Tue, 15 Nov 2022 at 18:02, Amir Montazery <[email protected] >> > <mailto:[email protected]>> wrote: >> > >> > Thank you to everyone who has helped so far! What we can >> > concretely offer is below under "What you can expect". We >> > totally understand you maintainers are busy so the process >> > is designed to be easy for those who participate. We also >> > have a budget to compensate maintainers who help out >> > directly (that can go to a nonprofit of the project's choice >> > as well). >> > >> > Our first team of security experts is ready to meet the week >> > of December 5th if you'd like to participate. >> > >> > p.s The OSTIF team plans to be in Brussels for fosdem so we >> > hope to see some of you there! >> > >> > Thank you and let me know who would like to participate. >> > >> > - Amir >> > >> > >> > What you can expect >> > >> > Here are what we’re going to do (and need your help with) in >> > a nutshell: >> > >> > * >> > >> > We’ll Perform an Initial Assessment >> > >> > o >> > >> > Meet with you to better understand and ask questions >> > about your package – its architecture, design >> > choices, known issues, and so on >> > >> > o >> > >> > Install Scorecard >> > <https://github.com/ossf/scorecard#overview>if you >> > don’t already have it – this evaluates your >> > environment against a set of SDLC best practices >> > (see https://securityscorecards.dev/ >> > <https://securityscorecards.dev/>for more info) – >> > and identify opportunities to improve low-scoring >> checks >> > >> > o >> > >> > Perform a quick code review, get your package to >> > build, check for quality and best practices >> > >> > o >> > >> > Assess whether your package would benefit from >> > fuzzing and is compatible with our OSS-Fuzz >> > <https://google.github.io/oss-fuzz/>offering. >> > >> > o >> > >> > Assess whether your package would benefit from SLSA >> > <https://slsa.dev/>and/or SBOM >> > < >> https://security.googleblog.com/2022/06/sbom-in-action-finding-vulnerabilities.html>, >> software supply chain integrity (SSCI) technologies (for example, do your >> users commonly build from source or consume binaries that you build?) >> > >> > * >> > >> > If Warranted, We’ll Proceed with an In-Depth Review >> > >> > o >> > >> > Perform an targeted code review on your package to >> > identify security vulnerabilities or recommended >> > defense-in-depth fixes >> > >> > o >> > >> > If applicable, integrate your package with the OSS >> > Fuzz offering and tune it to achieve maximum >> coverage. >> > >> > o >> > >> > Improve eligible Scorecard check scores >> > >> > o >> > >> > Assist you with deploying SLSA and SBOM >> > >> > Here’s what we’ll ask you to do: >> > >> > * >> > >> > During the Initial Assessment >> > >> > o >> > >> > Meet with us and our partners in a “kick-off” >> > meeting where we’ll ask you a number of questions >> > about your package and how it works to build a >> > shared threat model and scope the review >> > >> > * >> > >> > During Our In-Depth Review >> > >> > o >> > >> > Assist us with onboarding your package to OSS-Fuzz >> > if applicable, and you’ll be compensated for doing >> so >> > >> > o >> > >> > Assist us with improving the Scorecard checks we >> > recommend, and you’ll be compensated for each >> > >> > o >> > >> > Assist us with implementing SLSA and SBOM, if >> > applicable, and you’ll be compensated for doing so >> > >> > * >> > >> > After our In-Depth Review >> > >> > o >> > >> > Review the security vulnerabilities we find (if any) >> > and our recommended defense-in-depth fixes (if any), >> > and remediate each vulnerability within a reasonable >> > timeframe (we’ll work this out with you when the >> > time comes), and you’ll be compensated for each >> > >> > o >> > >> > If applicable, produce a new build that includes all >> > of the improvements made during this process >> > >> > >> > >> > >> > >> > >> > On Mon, Oct 31, 2022 at 11:08 AM Amir Montazery >> > <[email protected] <mailto:[email protected]>> wrote: >> > >> > Awesome! Thank you for that Luca. Apologies for the lag, >> > I was in Detroit last week for KubeCon meeting a number >> > of projects we've done security engagements with and >> > collecting feedback. >> > >> > I hope we can sync soon and discuss opportunities to >> > help out with zeromq! Our org OSTIF (https://ostif.org/ >> > <https://ostif.org/>) has been advocating for providing >> > free help to open source projects for almost 8 years >> > now. We finally have some resources on our bench to help >> > projects out with their security needs. I am finalizing >> > what exactly that would look like in the next week! >> > >> > I'll have updates and resources for you soon. In the >> > meantime feel free to reach out with any questions or >> > feedback. >> > >> > Thank you, >> > Amir >> > >> > On Wed, Oct 19, 2022 at 1:39 PM Luca Boccassi >> > <[email protected] >> > <mailto:[email protected]>> wrote: >> > >> > Thanks, existing fuzzers are the *_fuzzer.cpp files >> > at: >> > https://github.com/zeromq/libzmq/tree/master/tests >> > <https://github.com/zeromq/libzmq/tree/master/tests >> > >> > >> > On Wed, 19 Oct 2022 at 16:04, Amir Montazery >> > <[email protected] <mailto:[email protected]>> wrote: >> > >> > Of course, that is understandable. Thank you all >> > for maintaining such an important project >> > despite your busy schedules! I hope we can find >> > a way to help make your lives easier. >> > >> > What we can contribute is a security review by >> > an experienced team to assess general design >> > review; code quality, defensive programming, and >> > best practices, as well as opportunities to >> > improve fuzzing. Additional fuzzers can be built >> > and the team can integrate the project to >> > oss-fuzz for continuous monitoring of security >> > issues. Based on our experience, when security >> > teams have a line of contact with the project >> > maintainers, they can be guided and better >> > utilized to help. >> > >> > I'm fairly certain that we can provide new >> > fuzzers/test cases and will get more specific >> > details for you on that. >> > >> > Thank you! >> > Amir >> > >> > >> > >> > >> > >> > On Tue, Oct 18, 2022 at 3:26 PM Luca Boccassi >> > <[email protected] >> > <mailto:[email protected]>> wrote: >> > >> > Hi, >> > >> > Thanks for the offer, but let's continue via >> > mail please, we are all very busy as-is. >> > >> > What can you contribute, concretely? I have >> > already set up fuzzing some time ago. Can >> > you provide new fuzzers/test cases? If so >> > that would be great, just send pull requests >> > to the repository. >> > >> > On Wed, 12 Oct 2022 at 13:10, Amir Montazery >> > <[email protected] <mailto:[email protected]>> >> wrote: >> > >> > We can help with whatever the project >> > needs. The intention is to connect the >> > project maintainer(s)/contributor(s) >> > with our security team (made up of >> > security experts and Google Open Source >> > Security engineers) to help where the >> > project needs it most. We can help with >> > bug fixes, security tooling i.e fuzzing >> > and developing fuzzers for the project, >> > CI/CD, and anything else that will help >> > zeromq be more secure! >> > >> > Thankfully we have resources to help and >> > are able to compensate maintainer(s) who >> > participate in the engagement to show >> > our gratitude for your time and efforts. >> > >> > I'd be happy to set up a quick >> > introductory call with anyone interested >> > in learning more. >> > >> > Thank you and have a great day! >> > Amir >> > >> > On Tue, Oct 11, 2022 at 10:05 PM Luca >> > Boccassi <[email protected] >> > <mailto:[email protected]>> >> wrote: >> > >> > Hi, >> > >> > What kind of support are you able to >> > provide? >> > >> > On Tue, 11 Oct 2022 at 14:30, Amir >> > Montazery <[email protected] >> > <mailto:[email protected]>> wrote: >> > >> > Yes, I meant zeromq. Thank you >> > Arnaud! That is my mistake. >> > >> > That’s great news, we have teams >> > ready to help. Would you be a >> > good person to coordinate that >> > with? If anyone else comes to >> > mind to include please let me >> know! >> > >> > I would be happy to set up a >> > quick call to meet and discuss >> > how we can best be of service to >> > the zeromq project. >> > >> > Thank you, >> > Amir >> > >> > On Tue, Oct 11, 2022 at 1:22 PM >> > Arnaud Loonstra >> > <[email protected] >> > <mailto:[email protected]>> >> wrote: >> > >> > Are you sure you are on the >> > right list? This the zeromq >> > list not dnsmasq. >> > >> > We'd appreciate any help for >> > sure! >> > >> > Rg, >> > >> > Arnaud >> > >> > On 07-10-2022 21:46, Amir >> > Montazery wrote: >> > > Hello dnsmasq community! >> > OSTIF would like to help >> > improve your security >> > > posture! >> > > >> > > I’m Amir from Open Source >> > Technology Improvement Fund, >> > Inc. OSTIF >> > > <https://ostif.org/ >> > <https://ostif.org/>> is a >> > nonprofit solely dedicated >> > to helping open >> > > source projects improve >> > their security for free. >> > > >> > > We are working with a >> > team of Google engineers and >> > security experts to >> > > help important open >> > source projects like >> > dnsmasq. This includes >> helping >> > > improve testing, >> > reviewing code, implementing >> > more security tools, and >> > > improving supply chain >> > security. >> > > >> > > Additionally, we >> > understand the time >> > constraints that open source >> > > contributors have, and >> > would like to compensate >> > contributors for their >> > > time working with us. >> > > >> > > We would love to work >> > with you! Please let me know >> > who we should be >> > > talking to and how we can >> > help! >> > > >> > > Thank you in advance for >> > your consideration! >> > > >> > > Best, >> > > >> > > Amir >> > > >> > > >> > > -- >> > > *Amir Montazery* >> > > Managing Director >> > > Open Source Technology >> > Improvement Fund >> > > https://ostif.org/ >> > <https://ostif.org/> >> > <https://ostif.org/ >> > <https://ostif.org/>> >> > > >> > https://calendly.com/ostif >> > <https://calendly.com/ostif >> > >> > <https://calendly.com/ostif >> > <https://calendly.com/ostif >> >> >> > > >> > > >> > > >> > >> _______________________________________________ >> > > zeromq-dev mailing list >> > > >> > [email protected] >> > <mailto: >> [email protected]> >> > > >> > >> https://lists.zeromq.org/mailman/listinfo/zeromq-dev < >> https://lists.zeromq.org/mailman/listinfo/zeromq-dev> >> > >> _______________________________________________ >> > zeromq-dev mailing list >> > [email protected] >> > <mailto: >> [email protected]> >> > >> https://lists.zeromq.org/mailman/listinfo/zeromq-dev < >> https://lists.zeromq.org/mailman/listinfo/zeromq-dev> >> > >> > -- >> > *Amir Montazery* >> > Managing Director >> > Open Source Technology >> > Improvement Fund >> > https://ostif.org/ >> > <https://ostif.org/> >> > https://calendly.com/ostif >> > <https://calendly.com/ostif> >> > >> > >> _______________________________________________ >> > zeromq-dev mailing list >> > [email protected] >> > <mailto: >> [email protected]> >> > >> https://lists.zeromq.org/mailman/listinfo/zeromq-dev < >> https://lists.zeromq.org/mailman/listinfo/zeromq-dev> >> > >> > >> _______________________________________________ >> > zeromq-dev mailing list >> > [email protected] >> > <mailto:[email protected] >> > >> > >> https://lists.zeromq.org/mailman/listinfo/zeromq-dev < >> https://lists.zeromq.org/mailman/listinfo/zeromq-dev> >> > >> > >> > >> > -- >> > *Amir Montazery* >> > Managing Director >> > Open Source Technology Improvement Fund >> > https://ostif.org/ <https://ostif.org/> >> > https://calendly.com/ostif >> > <https://calendly.com/ostif> >> > >> > >> _______________________________________________ >> > zeromq-dev mailing list >> > [email protected] >> > <mailto:[email protected]> >> > >> https://lists.zeromq.org/mailman/listinfo/zeromq-dev < >> https://lists.zeromq.org/mailman/listinfo/zeromq-dev> >> > >> > >> _______________________________________________ >> > zeromq-dev mailing list >> > [email protected] >> > <mailto:[email protected]> >> > >> https://lists.zeromq.org/mailman/listinfo/zeromq-dev < >> https://lists.zeromq.org/mailman/listinfo/zeromq-dev> >> > >> > >> > >> > -- >> > *Amir Montazery* >> > Managing Director >> > Open Source Technology Improvement Fund >> > https://ostif.org/ <https://ostif.org/> >> > https://calendly.com/ostif >> > <https://calendly.com/ostif> >> > >> > _______________________________________________ >> > zeromq-dev mailing list >> > [email protected] >> > <mailto:[email protected]> >> > >> https://lists.zeromq.org/mailman/listinfo/zeromq-dev < >> https://lists.zeromq.org/mailman/listinfo/zeromq-dev> >> > >> > _______________________________________________ >> > zeromq-dev mailing list >> > [email protected] >> > <mailto:[email protected]> >> > >> https://lists.zeromq.org/mailman/listinfo/zeromq-dev >> > < >> https://lists.zeromq.org/mailman/listinfo/zeromq-dev> >> > >> > >> > >> > -- >> > *Amir Montazery* >> > Managing Director >> > Open Source Technology Improvement Fund >> > https://ostif.org/ <https://ostif.org/> >> > https://calendly.com/ostif <https://calendly.com/ostif> >> > >> > >> > >> > -- >> > *Amir Montazery* >> > Managing Director >> > Open Source Technology Improvement Fund >> > https://ostif.org/ <https://ostif.org/> >> > https://calendly.com/ostif <https://calendly.com/ostif> >> > >> > _______________________________________________ >> > zeromq-dev mailing list >> > [email protected] <mailto: >> [email protected]> >> > https://lists.zeromq.org/mailman/listinfo/zeromq-dev >> > <https://lists.zeromq.org/mailman/listinfo/zeromq-dev> >> > >> > _______________________________________________ >> > zeromq-dev mailing list >> > [email protected] <mailto:[email protected] >> > >> > https://lists.zeromq.org/mailman/listinfo/zeromq-dev >> > <https://lists.zeromq.org/mailman/listinfo/zeromq-dev> >> > >> > >> > >> > -- >> > *Amir Montazery* >> > Managing Director >> > Open Source Technology Improvement Fund >> > https://ostif.org/ <https://ostif.org/> >> > https://calendly.com/ostif <https://calendly.com/ostif> >> > >> > _______________________________________________ >> > zeromq-dev mailing list >> > [email protected] <mailto:[email protected]> >> > https://lists.zeromq.org/mailman/listinfo/zeromq-dev >> > <https://lists.zeromq.org/mailman/listinfo/zeromq-dev> >> > >> > >> > _______________________________________________ >> > zeromq-dev mailing list >> > [email protected] >> > https://lists.zeromq.org/mailman/listinfo/zeromq-dev >> _______________________________________________ >> zeromq-dev mailing list >> [email protected] >> https://lists.zeromq.org/mailman/listinfo/zeromq-dev >> > > > -- > *Amir Montazery* > Managing Director > Open Source Technology Improvement Fund > https://ostif.org/ > https://calendly.com/ostif > > _______________________________________________ > zeromq-dev mailing list > [email protected] > https://lists.zeromq.org/mailman/listinfo/zeromq-dev >
_______________________________________________ zeromq-dev mailing list [email protected] https://lists.zeromq.org/mailman/listinfo/zeromq-dev
