so for examples like: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=23645&q=grpc&can=2
do those get reported as CVEs automatically, or is a human required to "groom" a CVE report per the noted process? put another way, are the (reproducible) issues listed in oss-fuzz "latent" CVEs that no human has had a chance to review and put together a human reviewable report? Or are they triaged and reviewed regularly by the project and deemed NOT to be real issues worthy of a CVE? On Friday, April 23, 2021 at 12:41:51 PM UTC-7 Jiangtao Li wrote: > Hi Aleks, > > We have done third party vulnerability testing in gRPC C++. The results > are here: > https://github.com/grpc/grpc/blob/master/doc/grpc_security_audit.pdf. > We also have extensive fuzzing and scanners set up in Chrome OSS fuzzing. > See https://bugs.chromium.org/p/oss-fuzz/issues/list?q=grpc&can=2 > > We have not done any vulnerability testing using BURP. Feel free to try > test yourself and report vulnerabilities if you find anything interesting. > Please use > https://github.com/grpc/proposal/blob/master/P4-grpc-cve-process.md to > report bugs/vulnerabilities to us. > > Best, > Jiangtao > > On Thursday, April 22, 2021 at 8:09:37 AM UTC-7 ayeg...@gmail.com wrote: > >> In my organization we have pretty stringent requirements on security, and >> all of our http endpoints get tested with the BURP suite from >> PortSwigger.net. My service is accepting bi-directional streaming requests >> and now it needs to be tested. Like i mentioned the default tool is BURP >> and the only mention of gRPC I could find is this >> https://forum.portswigger.net/thread/http-2-and-grpc-support-52da4c5677b4 >> . >> >> Has anyone done this kind of testing? If so, could you please share how >> you did it? >> >> The question to gRPC devs - how do you validate and perform vulnerability >> scans on gRPC endpoints? What is the best way to address this need? >> >> Sincerely, >> Aleks >> > -- You received this message because you are subscribed to the Google Groups "grpc.io" group. To unsubscribe from this group and stop receiving emails from it, send an email to grpc-io+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/c700828a-b9e2-42f2-9e43-502cccf7db9en%40googlegroups.com.
