[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Possible reward for fuzzer bug fixes? Secure Open Source Rewards Pro
From: |
Alexander Bulekov |
Subject: |
Re: Possible reward for fuzzer bug fixes? Secure Open Source Rewards Program |
Date: |
Mon, 1 Nov 2021 12:01:05 -0400 |
On 211029 0853, Qiuhao Li wrote:
> Sounds great. How about mentioning this program on the Security
> Process web page [1]? Hackers who report vulnerabilities may be
> interested in fixing bugs.
Sounds like a good idea to me.
>
> Just curious. Why didn't those bugs [2] get fixed before disclosure? It seems
> SD and virtio-9p are maintained now.
I'll double check that these have reports/reproducers on gitlab. For the
9p bugs, they seem to be specific to the "synth" backend which is only
used for testing AFAIK.
>
> [1] https://www.qemu.org/contribute/security-process/
> [2]
> https://bugs.chromium.org/p/oss-fuzz/issues/list?sort=-reported&q=Type%3DBug-Security%20label%3ADeadline-Exceeded%20qemu&can=2
>
> ________________________________
> From: Alexander Bulekov <alxndr@bu.edu>
> Sent: Thursday, October 28, 2021 22:48
> To: qemu-devel@nongnu.org <qemu-devel@nongnu.org>
> Cc: Paolo Bonzini <pbonzini@redhat.com>; Bandan Das <bsd@redhat.com>; Stefan
> Hajnoczi <stefanha@redhat.com>; Thomas Huth <thuth@redhat.com>; Darren Kenny
> <darren.kenny@oracle.com>; Qiuhao Li <Qiuhao.Li@outlook.com>
> Subject: Possible reward for fuzzer bug fixes? Secure Open Source Rewards
> Program
>
> Recently a pilot for the Secure Open Source Rewards program was
> announced [1]. Currently this program is run by the Linux Foundation and
> sponsored by the Google Open Source Security Team.
>
> The page mentions that patches for issues discovered by OSS-Fuzz may be
> eligible for rewards. This seems like it could be a good incentive for
> fixing fuzzer bugs.
>
> A couple notes:
> * The program also rewards contributions besides fuzzer-bug fixes.
> Check out the page for full details.
> * It seems that QEMU would qualify for this program. The page mentions
> that the project should have a greater than 0.6 OpenSSF Criticality
> Score [2]. This score factors in statistics collected from github
> (sic!). QEMU's score is currently 0.81078
> * Not limited to individual contributors. Vendors can also qualify for
> rewards.
> * Work completed before Oct 1, 2021 does not qualify.
> * Individuals in some sanctioned countries are not eligible.
> * The process seems to be:
> 1. Send a fix upstream
> 2. Get it accepted
> 3. Fill out a form to apply for a reward
>
> Any thoughts about this? Should this be something we document/advertise
> somewhere, so developers are aware of this opportunity?
>
> [1] https://sos.dev/
> [2] https://github.com/ossf/criticality_score
>
> -Alex
- Re: Possible reward for fuzzer bug fixes? Secure Open Source Rewards Program,
Alexander Bulekov <=