search

jbeder / yaml-cpp

A YAML parser and emitter in C++
MIT License
4.91k stars 1.78k forks source link

Security Audit of yaml-cpp #1200

Open OSTIF-Derek opened 11 months ago

OSTIF-Derek commented 11 months ago

I'm Derek, founder of OSTIF and I'd like to discuss collaborating with the yaml-cpp community on doing a security review of the project. This is entirely without cost, and we will work with you as much or as little as members would like to participate. We have a long history of collaborating with projects to help them with security and I'm happy to give you references if needed.

We'd like to look at your testing regimen and do some manual code review and then make recommendations based on our findings. We can also help with fixes if they are complex.

To move this forward, I'd like to talk with the lead contributor/s about how we can help, and how we can best work together.

If you have any questions, feel free to email me directly (my name from the beginning of this intro @ostif.org). I'm happy to help in any way that I can!

(Also I apologize for filing this as a Github issue! We couldn't find an alternative way to contact the community. It looks like this is solo-maintained by jbeder, but the studios website email gave us a bounce.)

All the best,

Derek Zimmer Executive Director Open Source Technology Improvement Fund

jbeder commented 10 months ago

Hey Derek,

I'm indeed a solo maintainer here, and I don't devote a ton of time to maintenance any more. In particular, I just review and merge easy PRs, and sometimes give advice on more complex ones.

So: I'm happy to review and merge easy PRs :)

OSTIF-Derek commented 10 months ago

Hey Derek,

I'm indeed a solo maintainer here, and I don't devote a ton of time to maintenance any more. In particular, I just review and merge easy PRs, and sometimes give advice on more complex ones.

So: I'm happy to review and merge easy PRs :)

Totally understandable on the maintenance. We can keep it pretty simple on your end. Would it be acceptable if we conducted the security review and provided you with fixes directly as PRs? Additionally, if we want to improve your ossfuzz testing would you be open to PRs for that too?

We can also discuss remuneration for your time if we connect privately or you'd like to discuss any other details privately. You can reach me directly at my first name at ostif dot org.