[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Possible reward for fuzzer bug fixes? Secure Open Source Rewards Pro

From: Thomas Huth
Subject: Re: Possible reward for fuzzer bug fixes? Secure Open Source Rewards Program
Date: Tue, 23 Nov 2021 15:56:40 +0100
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.3.0

On 28/10/2021 16.48, Alexander Bulekov wrote:
Recently a pilot for the Secure Open Source Rewards program was
announced [1]. Currently this program is run by the Linux Foundation and
sponsored by the Google Open Source Security Team.

The page mentions that patches for issues discovered by OSS-Fuzz may be
eligible for rewards. This seems like it could be a good incentive for
fixing fuzzer bugs.

A couple notes:
  * The program also rewards contributions besides fuzzer-bug fixes.
    Check out the page for full details.
  * It seems that QEMU would qualify for this program. The page mentions
    that the project should have a greater than 0.6 OpenSSF Criticality
    Score [2]. This score factors in statistics collected from github
    (sic!). QEMU's score is currently 0.81078
  * Not limited to individual contributors. Vendors can also qualify for
  * Work completed before Oct 1, 2021 does not qualify.
  * Individuals in some sanctioned countries are not eligible.
  * The process seems to be:
     1. Send a fix upstream
     2. Get it accepted
     3. Fill out a form to apply for a reward

Any thoughts about this? Should this be something we document/advertise
somewhere, so developers are aware of this opportunity?

Sorry for the late reply ... That sounds interesting, indeed!

Would it make sense to publish this as a blog entry on www.qemu.org? ... it would then get automatically mirrored to https://planet.virt-tools.org/ , too.

I think most issues are tagged with "fuzzer" in the issue tracker already, so it should be possible to easily find the issue to work on.

So if you like, clone https://gitlab.com/qemu-project/qemu-web.git and add a new entry in the _posts directory. Once done send the patch for review to qemu-devel with Paolo and myself on CC:


reply via email to

[Prev in Thread] Current Thread [Next in Thread]