terms of resources, the project was assigned to four members of the Cure53 team with best-suited expertise and skills. The testing team examined the scope in June 2020, namely in calendar weeks 24 and 25. A during the project stood at twenty person-days. To best address the objectives expressed by the Dapr team, two work packages (WPs) were outlined. In WP1, Cure53 performed both a broad and thorough source shift in methods, WP2 encompassed penetration tests against Dapr integration and setup. The Cure53 team relied on a fully installed Kubernetes cluster, complete with sample applications that needed to be

Pentest- & Retest-Report Dapr 02.2021 Cure53, Dr.-Ing. M. Heiderich, Dipl.-Inf. G. Kopf & other Team Members Index I ntroduction Scope Identified Vulnerabilities DAP-02-001 WP3: Status of vulnerabilities sources, which are available on GitHub as OSS. In addition, a dedicated environment created by the Dapr team for the testing purposes was provided. White-box methodology, just as last time, has guided the work Communications during the test were done using a dedicated channel on the Discord server run by the Dapr team. This is a shift from Gitter, which was used in the past. Nevertheless, all discussions were to the

key principle for us when it comes to choosing a platform is that we can maintain the size of our team." —CTO @ Handled Cloud + Edge Separation of concerns Application focused Application focused Provide manageability of CRDs, consistency of app model, portability of app profiles Give platform team flexibility to choose and operate the infra tools in their domain knowledge by adopting OAM ROS-OAM

key principle for us when it comes to choosing a platform is that we can maintain the size of our team." – CTO @ Handled.io OAM: Platform agnostic application model The open application model for cloud

code or new bugs introduced a�er the audit itself. If that happens, OSS-Fuzz will notify the Dapr team with a stacktrace and a reproducer testcase. # Title Mitigation 1 Index out of range in ra� log

com/nats-io/stan.go Planned for removal in Dapr 1.13 5 Deprecated github.com/golang/protobuf Assessed by Dapr team. No change in code. Archived or deprecated projects are unlikely to fix issues - both reliability