Hey Derek,


We have a rust-vmm sync meeting every 2 weeks on Monday at 5 PM CET. The next one is on 15th of May. If that fits your schedule, it would be great to chat during that meeting. Otherwise, we can set up a meeting at another time.


I can give you pointers for the security related testing that we already have in some of the rust-vmm crates. The project ownership is distributed, so you will need to get in contact with multiple folks as there is not a single person that knows the insides of every rust-vmm component. I can also help you with pointers for people that you can chat with.


Thanks,

Andreea

From: Derek Zimmer <derek@ostif.org>
Sent: Wednesday, May 3, 2023 7:08:37 PM
To: rust-vmm@lists.opendev.org
Subject: [EXTERNAL] [Rust-VMM] Hello from OSTIF! We are interested in doing a free security review of Rust VMM.
 

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.

Hello everyone,

Firstly, if i'm reaching out through the improper channel I apologize. I didn't want to spam security channels or file a github issue to reach out. Please forward this to the appropriate channel if you can!

I'm Derek, founder of https://ostif.org and I'd like to discuss collaborating with the Rust VMM community on doing a security review of the project. This is entirely without cost, and we will work with you as much or as little as members would like to participate. We have a long history of collaborating with projects to help them with security and I'm happy to give you references if needed.

We'd like to look at your testing regimen, do some manual code review, and do some supply chain analysis and then make recommendations based on our findings. We can also help with fixes if they are complex, or to build out some security tools to be more useful (rule sets for static analysis tools, expanding fuzzing code coverage, improving fuzzer performance, etc.)

We have a deep network of experts from many fields, and we can shape this security review to focus on whatever Rust VMM needs. After all, you know more about what your project needs than we do.

I'm excited about Rust VMM in particular because I'm really passionate about Rust and getting away from error-prone languages. We're currently working on wasmCloud and wasmTime as well, and building a proposal to improve ossfuzz for all Rust projects directly with Google.

To move this forward, I'd like to talk with the lead contributor/s about how we can help, and how we can best work together.

If you have any questions, feel free to email me directly. I'm happy to help in any way that I can!

All the best,

Derek Zimmer
Executive Director
Open Source Technology Improvement Fund
Schedule a meeting with me anytime: https://calendly.com/derek-ostif