From: Thomas Huth <thuth@redhat.com>
To: Alexander Bulekov <alxndr@bu.edu>, qemu-devel@nongnu.org
Cc: Paolo Bonzini <pbonzini@redhat.com>, Bandan Das <bsd@redhat.com>,
Qiuhao Li <Qiuhao.Li@outlook.com>,
Stefan Hajnoczi <stefanha@redhat.com>,
Darren Kenny <darren.kenny@oracle.com>
Subject: Re: Possible reward for fuzzer bug fixes? Secure Open Source Rewards Program
Date: Tue, 23 Nov 2021 15:56:40 +0100 [thread overview]
Message-ID: <23f3d0e5-55a7-03d2-4163-5046d0517204@redhat.com> (raw)
In-Reply-To: <20211028144822.jjbw7ypkkman7sow@mozz.bu.edu>
On 28/10/2021 16.48, Alexander Bulekov wrote:
> Recently a pilot for the Secure Open Source Rewards program was
> announced [1]. Currently this program is run by the Linux Foundation and
> sponsored by the Google Open Source Security Team.
>
> The page mentions that patches for issues discovered by OSS-Fuzz may be
> eligible for rewards. This seems like it could be a good incentive for
> fixing fuzzer bugs.
>
> A couple notes:
> * The program also rewards contributions besides fuzzer-bug fixes.
> Check out the page for full details.
> * It seems that QEMU would qualify for this program. The page mentions
> that the project should have a greater than 0.6 OpenSSF Criticality
> Score [2]. This score factors in statistics collected from github
> (sic!). QEMU's score is currently 0.81078
> * Not limited to individual contributors. Vendors can also qualify for
> rewards.
> * Work completed before Oct 1, 2021 does not qualify.
> * Individuals in some sanctioned countries are not eligible.
> * The process seems to be:
> 1. Send a fix upstream
> 2. Get it accepted
> 3. Fill out a form to apply for a reward
>
> Any thoughts about this? Should this be something we document/advertise
> somewhere, so developers are aware of this opportunity?
Sorry for the late reply ... That sounds interesting, indeed!
Would it make sense to publish this as a blog entry on www.qemu.org? ... it
would then get automatically mirrored to https://planet.virt-tools.org/ , too.
I think most issues are tagged with "fuzzer" in the issue tracker already,
so it should be possible to easily find the issue to work on.
So if you like, clone https://gitlab.com/qemu-project/qemu-web.git and add a
new entry in the _posts directory. Once done send the patch for review to
qemu-devel with Paolo and myself on CC:
Thomas
prev parent reply other threads:[~2021-11-23 14:58 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-28 14:48 Possible reward for fuzzer bug fixes? Secure Open Source Rewards Program Alexander Bulekov
2021-10-29 8:53 ` Qiuhao Li
2021-11-01 16:01 ` Alexander Bulekov
2021-11-23 14:56 ` Thomas Huth [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=23f3d0e5-55a7-03d2-4163-5046d0517204@redhat.com \
--to=thuth@redhat.com \
--cc=Qiuhao.Li@outlook.com \
--cc=alxndr@bu.edu \
--cc=bsd@redhat.com \
--cc=darren.kenny@oracle.com \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=stefanha@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).