Volunteers requested
The purpose of this project is to patch open source projects to eliminate known CVEs
We seek volunteers to do a few things
1. Review open source projects for specific known CVEs and submit patches (we will provide a project list and the vulnerability to fix)
Volunteers will submit patches to each project and work with the maintainers to publish new versions of their projects without the vulnerability
2. Create tools to automate finding vulnerable projects
3. Make a decent web site for this. Clearly I'm not good at websites
Being a security researcher is not a requirement here - we are not trying to find new vulnerabilities - our goal is to eliminate the known vulnerabilities from the current version of open source libraries
Interested in volunteering? Email me at ldiamond at ldiamond dot com and lets make the internet safer
Best Practices for volunteers:
1. Never publicly disclose that a project had a vulnerability until after the project makes a new release after merging in the patch (and preferably give them a week or two after the release so that their community can take the new release and close the vulnerability).
2. Always read the README.md, CONTRIBUTING.md, and SECURITY.md pages and follow the process the maintainers have set up for patches.
3. If no documentation exists for how the maintainer would like contributions,
a. Set up an issue in their Github repo indicating the CVE you'll be patching (if they've activated issues)
b. Fork the project
c. Make a branch on your fork for the CVE
d. Upgrade the branch for only that CVE
e. Rerun their tests
f. Commit and push your code to your fork,
g. Submit a PR to the project from your fork to their master branch referencing the issue (if one was made)
The time to patch a project is about 10 minutes + the time to run their unit tests.
All Open Source maintainers are extremely knowledgeable about whatever their project is about. A great many are unpaid volunteers.
Not all are security experts and may have questions or not understand the issues and may reach out to you for help.
Help them if you can and refer them back to the volunteering email address above if they have questions that you can't answer.
Thank you very much for volunteering to help the Open Source Community!