Possible reward for fuzzer bug fixes? Secure Open Source Rewards Program

Possible reward for fuzzer bug fixes? Secure Open Source Rewards Program

[Alexander Bulekov]

Recently a pilot for the Secure Open Source Rewards program was
announced [1]. Currently this program is run by the Linux Foundation and
sponsored by the Google Open Source Security Team.

The page mentions that patches for issues discovered by OSS-Fuzz may be
eligible for rewards. This seems like it could be a good incentive for
fixing fuzzer bugs.

A couple notes:
 * The program also rewards contributions besides fuzzer-bug fixes.
   Check out the page for full details.
 * It seems that QEMU would qualify for this program. The page mentions
   that the project should have a greater than 0.6 OpenSSF Criticality
   Score [2]. This score factors in statistics collected from github
   (sic!). QEMU's score is currently 0.81078
 * Not limited to individual contributors. Vendors can also qualify for
   rewards.
 * Work completed before Oct 1, 2021 does not qualify.
 * Individuals in some sanctioned countries are not eligible.
 * The process seems to be:
    1. Send a fix upstream
    2. Get it accepted
    3. Fill out a form to apply for a reward

Any thoughts about this? Should this be something we document/advertise
somewhere, so developers are aware of this opportunity?

[1] https://sos.dev/
[2] https://github.com/ossf/criticality_score

-Alex

Re: Possible reward for fuzzer bug fixes? Secure Open Source Rewards Program

[Qiuhao Li]

[-- Attachment #1: Type: text/plain, Size: 2225 bytes --]

Sounds great. How about mentioning this program on the Security Process web page [1]? Hackers who report vulnerabilities may be interested in fixing bugs.

Just curious. Why didn't those bugs [2] get fixed before disclosure? It seems SD and virtio-9p are maintained now.

[1] https://www.qemu.org/contribute/security-process/
[2] https://bugs.chromium.org/p/oss-fuzz/issues/list?sort=-reported&q=Type%3DBug-Security%20label%3ADeadline-Exceeded%20qemu&can=2

________________________________
From: Alexander Bulekov <alxndr@bu.edu>
Sent: Thursday, October 28, 2021 22:48
To: qemu-devel@nongnu.org <qemu-devel@nongnu.org>
Cc: Paolo Bonzini <pbonzini@redhat.com>; Bandan Das <bsd@redhat.com>; Stefan Hajnoczi <stefanha@redhat.com>; Thomas Huth <thuth@redhat.com>; Darren Kenny <darren.kenny@oracle.com>; Qiuhao Li <Qiuhao.Li@outlook.com>
Subject: Possible reward for fuzzer bug fixes? Secure Open Source Rewards Program

Recently a pilot for the Secure Open Source Rewards program was
announced [1]. Currently this program is run by the Linux Foundation and
sponsored by the Google Open Source Security Team.

The page mentions that patches for issues discovered by OSS-Fuzz may be
eligible for rewards. This seems like it could be a good incentive for
fixing fuzzer bugs.

A couple notes:
 * The program also rewards contributions besides fuzzer-bug fixes.
   Check out the page for full details.
 * It seems that QEMU would qualify for this program. The page mentions
   that the project should have a greater than 0.6 OpenSSF Criticality
   Score [2]. This score factors in statistics collected from github
   (sic!). QEMU's score is currently 0.81078
 * Not limited to individual contributors. Vendors can also qualify for
   rewards.
 * Work completed before Oct 1, 2021 does not qualify.
 * Individuals in some sanctioned countries are not eligible.
 * The process seems to be:
    1. Send a fix upstream
    2. Get it accepted
    3. Fill out a form to apply for a reward

Any thoughts about this? Should this be something we document/advertise
somewhere, so developers are aware of this opportunity?

[1] https://sos.dev/
[2] https://github.com/ossf/criticality_score

-Alex

[-- Attachment #2: Type: text/html, Size: 3682 bytes --]

Re: Possible reward for fuzzer bug fixes? Secure Open Source Rewards Program

[Alexander Bulekov]

On 211029 0853, Qiuhao Li wrote:
> Sounds great. How about mentioning this program on the Security
> Process web page [1]? Hackers who report vulnerabilities may be
> interested in fixing bugs.

Sounds like a good idea to me.

> 
> Just curious. Why didn't those bugs [2] get fixed before disclosure? It seems SD and virtio-9p are maintained now.
I'll double check that these have reports/reproducers on gitlab. For the
9p bugs, they seem to be specific to the "synth" backend which is only
used for testing AFAIK.

> 
> [1] https://www.qemu.org/contribute/security-process/
> [2] https://bugs.chromium.org/p/oss-fuzz/issues/list?sort=-reported&q=Type%3DBug-Security%20label%3ADeadline-Exceeded%20qemu&can=2
> 
> ________________________________
> From: Alexander Bulekov <alxndr@bu.edu>
> Sent: Thursday, October 28, 2021 22:48
> To: qemu-devel@nongnu.org <qemu-devel@nongnu.org>
> Cc: Paolo Bonzini <pbonzini@redhat.com>; Bandan Das <bsd@redhat.com>; Stefan Hajnoczi <stefanha@redhat.com>; Thomas Huth <thuth@redhat.com>; Darren Kenny <darren.kenny@oracle.com>; Qiuhao Li <Qiuhao.Li@outlook.com>
> Subject: Possible reward for fuzzer bug fixes? Secure Open Source Rewards Program
> 
> Recently a pilot for the Secure Open Source Rewards program was
> announced [1]. Currently this program is run by the Linux Foundation and
> sponsored by the Google Open Source Security Team.
> 
> The page mentions that patches for issues discovered by OSS-Fuzz may be
> eligible for rewards. This seems like it could be a good incentive for
> fixing fuzzer bugs.
> 
> A couple notes:
>  * The program also rewards contributions besides fuzzer-bug fixes.
>    Check out the page for full details.
>  * It seems that QEMU would qualify for this program. The page mentions
>    that the project should have a greater than 0.6 OpenSSF Criticality
>    Score [2]. This score factors in statistics collected from github
>    (sic!). QEMU's score is currently 0.81078
>  * Not limited to individual contributors. Vendors can also qualify for
>    rewards.
>  * Work completed before Oct 1, 2021 does not qualify.
>  * Individuals in some sanctioned countries are not eligible.
>  * The process seems to be:
>     1. Send a fix upstream
>     2. Get it accepted
>     3. Fill out a form to apply for a reward
> 
> Any thoughts about this? Should this be something we document/advertise
> somewhere, so developers are aware of this opportunity?
> 
> [1] https://sos.dev/
> [2] https://github.com/ossf/criticality_score
> 
> -Alex

Re: Possible reward for fuzzer bug fixes? Secure Open Source Rewards Program

[Thomas Huth]

On 28/10/2021 16.48, Alexander Bulekov wrote:
> Recently a pilot for the Secure Open Source Rewards program was
> announced [1]. Currently this program is run by the Linux Foundation and
> sponsored by the Google Open Source Security Team.
> 
> The page mentions that patches for issues discovered by OSS-Fuzz may be
> eligible for rewards. This seems like it could be a good incentive for
> fixing fuzzer bugs.
> 
> A couple notes:
>   * The program also rewards contributions besides fuzzer-bug fixes.
>     Check out the page for full details.
>   * It seems that QEMU would qualify for this program. The page mentions
>     that the project should have a greater than 0.6 OpenSSF Criticality
>     Score [2]. This score factors in statistics collected from github
>     (sic!). QEMU's score is currently 0.81078
>   * Not limited to individual contributors. Vendors can also qualify for
>     rewards.
>   * Work completed before Oct 1, 2021 does not qualify.
>   * Individuals in some sanctioned countries are not eligible.
>   * The process seems to be:
>      1. Send a fix upstream
>      2. Get it accepted
>      3. Fill out a form to apply for a reward
> 
> Any thoughts about this? Should this be something we document/advertise
> somewhere, so developers are aware of this opportunity?

Sorry for the late reply ... That sounds interesting, indeed!

Would it make sense to publish this as a blog entry on www.qemu.org? ... it 
would then get automatically mirrored to https://planet.virt-tools.org/ , too.

I think most issues are tagged with "fuzzer" in the issue tracker already, 
so it should be possible to easily find the issue to work on.

So if you like, clone https://gitlab.com/qemu-project/qemu-web.git and add a 
new entry in the _posts directory. Once done send the patch for review to 
qemu-devel with Paolo and myself on CC:

  Thomas