|
From: | Qiuhao Li |
Subject: | Re: Possible reward for fuzzer bug fixes? Secure Open Source Rewards Program |
Date: | Fri, 29 Oct 2021 08:53:35 +0000 |
Sounds great. How about mentioning this program on the Security Process web page [1]? Hackers who report vulnerabilities may be interested in fixing bugs.
Just curious. Why didn't those bugs [2] get fixed before disclosure? It seems SD and virtio-9p are maintained now.
[1] https://www.qemu.org/contribute/security-process/
[2]
https://bugs.chromium.org/p/oss-fuzz/issues/list?sort=-reported&q=Type%3DBug-Security%20label%3ADeadline-Exceeded%20qemu&can=2From: Alexander Bulekov <alxndr@bu.edu>
Sent: Thursday, October 28, 2021 22:48 To: qemu-devel@nongnu.org <qemu-devel@nongnu.org> Cc: Paolo Bonzini <pbonzini@redhat.com>; Bandan Das <bsd@redhat.com>; Stefan Hajnoczi <stefanha@redhat.com>; Thomas Huth <thuth@redhat.com>; Darren Kenny <darren.kenny@oracle.com>; Qiuhao Li <Qiuhao.Li@outlook.com> Subject: Possible reward for fuzzer bug fixes? Secure Open Source Rewards Program Recently a pilot for the Secure Open Source Rewards program was
announced [1]. Currently this program is run by the Linux Foundation and sponsored by the Google Open Source Security Team. The page mentions that patches for issues discovered by OSS-Fuzz may be eligible for rewards. This seems like it could be a good incentive for fixing fuzzer bugs. A couple notes: * The program also rewards contributions besides fuzzer-bug fixes. Check out the page for full details. * It seems that QEMU would qualify for this program. The page mentions that the project should have a greater than 0.6 OpenSSF Criticality Score [2]. This score factors in statistics collected from github (sic!). QEMU's score is currently 0.81078 * Not limited to individual contributors. Vendors can also qualify for rewards. * Work completed before Oct 1, 2021 does not qualify. * Individuals in some sanctioned countries are not eligible. * The process seems to be: 1. Send a fix upstream 2. Get it accepted 3. Fill out a form to apply for a reward Any thoughts about this? Should this be something we document/advertise somewhere, so developers are aware of this opportunity? [1] https://sos.dev/ [2] https://github.com/ossf/criticality_score -Alex |
[Prev in Thread] | Current Thread | [Next in Thread] |