[tor-dev] Source Code Static Analisys

Matthew Finkel matthew.finkel at gmail.com
Sun Apr 28 20:34:54 UTC 2013

On Sun, Apr 28, 2013 at 04:39:55PM -0300, Ulises Cuñé wrote:
> I send you a new Security Report.
> Regards,
> U
> 2013/4/27 Nick Mathewson <nickm at alum.mit.edu>
> > On Sat, Apr 27, 2013 at 7:16 PM, Ulises Cuñé <ulises2k at gmail.com> wrote:
> > > I want colaborate with Tor project.
> > >
> > > I send a document of analys source code about the lasted version
> >
> > Well, looks like I'm spending my evening combing through this thing
> > looking for true-positives.  If you find any that aren't
> > false-positives --- particularly security-relevant ones --- please
> > send me a gpg-encrypted mail or something.  Sending them to the
> > mailing list like this isn't so great.
> >
> > (Does the Fortify license actually let you do this? I thought most
> > tools like this were a little picky about what code you could run them
> > on, and what you could do with the results.)
> >
> > best wishes,
> > --
> > Nick

Hi Ulises,

If you really want to collaborate, there are numerous different ways you
can do it. As an outsider myself, I understand it's difficult to decide
how exactly you can help and make improvements to Tor and the Tor
ecosystem. However, providing these reports in this way really is not
the best method to establish a collaborative relationship with the project.

The devs are really friendly, as I've discovered, so in the future it
is probably best if you contact them directly (as Nick described) and
discuss any (potential) vulnerabilities you've found rather than sending
an entire list of potential vulnerabilities to an open list.

- Matt

More information about the tor-dev mailing list