Are there open source projects who are not prepared to receive this kind of contribution?
What are the funds used for? Hosting? Paying developers?
If it's for paying developers, then I imagine there could be political issues where some contributors are working for free, and some are paid. How do you apportion the funds?
There are different types of funding provided by Mozilla. We participated in the Secure Open Source (SOS) Fund and that was pretty straightforward. Mozilla pays a security firm to audit an open source codebase and then report their findings to the authors. There is little to argue over compensation-wise.
Mozilla plays a small but valuable role in shepherding fixes that assists any team unprepared to deal with such an audit report. I think having Mozilla broker the conversation helps with framing the report too: it communicates that the project is important enough to warrant such an interaction and that this was done to help, whereas I think that communication directly from a security firm is more typically viewed with suspicion or denial.
Hypothetically, the target of the assessment not being paid to fix the discovered issues could present a problem. I have never seen compensation to fix security bugs in practice. In some ways, it feels wrong since the compensation might go up based on the number or severity of bugs found, in essence a reward for insecure code. If you're maintaining a critically important project, security fixes seem like the cost of entry, not something that needs an extra push.
In my opinion, it is better to earmark funds to developers for strategic improvements anyway (eg. sandboxing, verification, privilege separation, etc). The Foundational Technology Fund from Mozilla requires a "clear and current project goal" [1], so if they funded a security improvement it looks like it would follow this approach [2].
In our experience, working with zlib was a pleasure. They fixed nearly all of our issues before we even noticed and we had a detailed, technical discussion about one of them. I credit Gervase at Mozilla for assisting with that and I would certainly work with the whole team there again.
Freenet is facing this. They got a 25k donation from duckduckgo and for the last couple of months debate on how to spend it, whether the previous paid developer gets to continue, etc. They're running a poll at the moment to decide on projects and priorities. The developer mailing list is the details.
Do not use Freenet without additional precautions like VPN. Merely using Freenet is enough to have the cops raid your house, whether guilty or innocent.[0]
Close! tis-interpreter requires inputs to drive it, so we fed it inputs that the CRS generated, that AFL generated, and some existing test cases. tis-interpreter found 4 bugs and clang found 1.
> This doesn't necessarily mean CRS is bad, it may just mean that there are no bugs of the classes CRS finds in zlib.
Yes, exactly! This is why we included so much detail about coverage in the report. Basically, "stop looking for these kinds of bugs in these places, focus your efforts elsewhere in the code."
I was browsing through the Mozilla security blog and saw that they did some work on OWASP's "alternative" to Burpsuite, ZAP. Which was a little surprising. That project could certainly use a little influx of cash/developer time.
What are the funds used for? Hosting? Paying developers?
If it's for paying developers, then I imagine there could be political issues where some contributors are working for free, and some are paid. How do you apportion the funds?