Re: Possible reward for fuzzer bug fixes? Secure Open Source Rewards Pro

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Possible reward for fuzzer bug fixes? Secure Open Source Rewards Pro

From:	Alexander Bulekov
Subject:	Re: Possible reward for fuzzer bug fixes? Secure Open Source Rewards Program
Date:	Mon, 1 Nov 2021 12:01:05 -0400

On 211029 0853, Qiuhao Li wrote:
> Sounds great. How about mentioning this program on the Security
> Process web page [1]? Hackers who report vulnerabilities may be
> interested in fixing bugs.

Sounds like a good idea to me.

> 
> Just curious. Why didn't those bugs [2] get fixed before disclosure? It seems 
> SD and virtio-9p are maintained now.
I'll double check that these have reports/reproducers on gitlab. For the
9p bugs, they seem to be specific to the "synth" backend which is only
used for testing AFAIK.

> 
> [1] https://www.qemu.org/contribute/security-process/
> [2] 
> https://bugs.chromium.org/p/oss-fuzz/issues/list?sort=-reported&q=Type%3DBug-Security%20label%3ADeadline-Exceeded%20qemu&can=2
> 
> ________________________________
> From: Alexander Bulekov <alxndr@bu.edu>
> Sent: Thursday, October 28, 2021 22:48
> To: qemu-devel@nongnu.org <qemu-devel@nongnu.org>
> Cc: Paolo Bonzini <pbonzini@redhat.com>; Bandan Das <bsd@redhat.com>; Stefan 
> Hajnoczi <stefanha@redhat.com>; Thomas Huth <thuth@redhat.com>; Darren Kenny 
> <darren.kenny@oracle.com>; Qiuhao Li <Qiuhao.Li@outlook.com>
> Subject: Possible reward for fuzzer bug fixes? Secure Open Source Rewards 
> Program
> 
> Recently a pilot for the Secure Open Source Rewards program was
> announced [1]. Currently this program is run by the Linux Foundation and
> sponsored by the Google Open Source Security Team.
> 
> The page mentions that patches for issues discovered by OSS-Fuzz may be
> eligible for rewards. This seems like it could be a good incentive for
> fixing fuzzer bugs.
> 
> A couple notes:
>  * The program also rewards contributions besides fuzzer-bug fixes.
>    Check out the page for full details.
>  * It seems that QEMU would qualify for this program. The page mentions
>    that the project should have a greater than 0.6 OpenSSF Criticality
>    Score [2]. This score factors in statistics collected from github
>    (sic!). QEMU's score is currently 0.81078
>  * Not limited to individual contributors. Vendors can also qualify for
>    rewards.
>  * Work completed before Oct 1, 2021 does not qualify.
>  * Individuals in some sanctioned countries are not eligible.
>  * The process seems to be:
>     1. Send a fix upstream
>     2. Get it accepted
>     3. Fill out a form to apply for a reward
> 
> Any thoughts about this? Should this be something we document/advertise
> somewhere, so developers are aware of this opportunity?
> 
> [1] https://sos.dev/
> [2] https://github.com/ossf/criticality_score
> 
> -Alex

[Prev in Thread]

Current Thread

[Next in Thread]

Re: Possible reward for fuzzer bug fixes? Secure Open Source Rewards Program, Alexander Bulekov <=
- Re: Possible reward for fuzzer bug fixes? Secure Open Source Rewards Program, Thomas Huth, 2021/11/23

Prev by Date: Re: [PATCH v4 22/22] qapi: introduce x-query-opcount QMP command
Next by Date: Re: [PATCH v2] hw/rtc/pl031: Send RTC_CHANGE QMP event
Previous by thread: Re: [PATCH v4 22/22] qapi: introduce x-query-opcount QMP command
Next by thread: Re: Possible reward for fuzzer bug fixes? Secure Open Source Rewards Program
Index(es):
- Date
- Thread