Hello everyone,
Firstly, if i'm reaching out through the improper channel I apologize. I didn't want to spam security channels or file a github issue to reach out. Please forward this to the appropriate channel if you can!
I'm Derek, founder of
https://ostif.org and I'd like to discuss collaborating with the Rust VMM community on doing a security review of the project. This is entirely without cost, and we will work with you as much or as little as members would like to participate. We have a long history of collaborating with projects to help them with security and I'm happy to give you references if needed.
We'd like to look at your testing regimen, do some manual code review, and do some supply chain analysis and then make recommendations based on our findings. We can also help with fixes if they are complex, or to build out some security tools to be more useful (rule sets for static analysis tools, expanding fuzzing code coverage, improving fuzzer performance, etc.)
We have a deep network of experts from many fields, and we can shape this security review to focus on whatever Rust VMM needs. After all, you know more about what your project needs than we do.
I'm excited about Rust VMM in particular because I'm really passionate about Rust and getting away from error-prone languages. We're currently working on wasmCloud and wasmTime as well, and building a proposal to improve ossfuzz for all Rust projects directly with Google.
To move this forward, I'd like to talk with the lead contributor/s about how we can help, and how we can best work together.
If you have any questions, feel free to email me directly. I'm happy to help in any way that I can!
All the best,
Derek Zimmer
Executive Director
Open Source Technology Improvement Fund