Dear all,
I have been asked by the security team at Eclipse if Mosquitto would like to have a security audit using these funds, and I think this is an excellent idea.
The security audits focus on specific sub-component(s) of the project, with a scope decided by the project, rather than the project as a whole. This means that the first step is to define the scope of the audit. The security team has provided some suggestions:
* Security of the build pipeline
* Search for use-after-free and/or buffer overflow
* Usage of OpenSSL/cJSON/c-ares
My own opinion is that out of those, looking at OpenSSL usage would be the most beneficial. I think the memory usage is already well covered by Coverity Scan and valgrind based testing.
I would be very interested in other suggestions or thoughts if you have them.
I hope to be having a call with Mikaël Barbero, the head of security at Eclipse. I would be pleased to have community members join the call. I do not yet have the details of when that will be, but it is likely to be on a Tuesday or Thursday morning, UK time, possibly this coming Thursday. If you are interested in joining then please let me know.
Regards,
Roger