qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Possible reward for fuzzer bug fixes? Secure Open Source Rewards Pro

From: Qiuhao Li
Subject: Re: Possible reward for fuzzer bug fixes? Secure Open Source Rewards Program
Date: Fri, 29 Oct 2021 08:53:35 +0000
Sounds great. How about mentioning this program on the Security Process web page [1]? Hackers who report vulnerabilities may be interested in fixing bugs.

Just curious. Why didn't those bugs [2] get fixed before disclosure? It seems SD and virtio-9p are maintained now.

[1] https://www.qemu.org/contribute/security-process/
[2] https://bugs.chromium.org/p/oss-fuzz/issues/list?sort=-reported&q=Type%3DBug-Security%20label%3ADeadline-Exceeded%20qemu&can=2

From: Alexander Bulekov <alxndr@bu.edu>
Sent: Thursday, October 28, 2021 22:48
To: qemu-devel@nongnu.org <qemu-devel@nongnu.org>
Cc: Paolo Bonzini <pbonzini@redhat.com>; Bandan Das <bsd@redhat.com>; Stefan Hajnoczi <stefanha@redhat.com>; Thomas Huth <thuth@redhat.com>; Darren Kenny <darren.kenny@oracle.com>; Qiuhao Li <Qiuhao.Li@outlook.com>
Subject: Possible reward for fuzzer bug fixes? Secure Open Source Rewards Program
 
Recently a pilot for the Secure Open Source Rewards program was
announced [1]. Currently this program is run by the Linux Foundation and
sponsored by the Google Open Source Security Team.

The page mentions that patches for issues discovered by OSS-Fuzz may be
eligible for rewards. This seems like it could be a good incentive for
fixing fuzzer bugs.

A couple notes:
 * The program also rewards contributions besides fuzzer-bug fixes.
   Check out the page for full details.
 * It seems that QEMU would qualify for this program. The page mentions
   that the project should have a greater than 0.6 OpenSSF Criticality
   Score [2]. This score factors in statistics collected from github
   (sic!). QEMU's score is currently 0.81078
 * Not limited to individual contributors. Vendors can also qualify for
   rewards.
 * Work completed before Oct 1, 2021 does not qualify.
 * Individuals in some sanctioned countries are not eligible.
 * The process seems to be:
    1. Send a fix upstream
    2. Get it accepted
    3. Fill out a form to apply for a reward

Any thoughts about this? Should this be something we document/advertise
somewhere, so developers are aware of this opportunity?

[1] https://sos.dev/
[2] https://github.com/ossf/criticality_score

-Alex
reply via email to
[Prev in Thread] Current Thread [Next in Thread]