consuming packages from mirrors instead of the main and intended packages. These are known attack vectors; recently researchers found 1,652 malicious packages disguised as legitimate packages8. SLSA compliance security audit 2023 This type of risk applies to all open source projects that use other open source packages in their dependency trees. The Scorecard project11 aims to mitigate that risk by formalizing a set

securing the so�ware in the CNCF landscape. Demonstrating and ensuring the security of these so�ware packages is vital for the CNCF ecosystem and the CNCF continues to use state of the art techniques to secure the Dapr fuzzers are the two key so�ware packages that OSS-Fuzz uses to fuzz Dapr. The following figure gives an overview of how OSS-Fuzz uses these two packages and what happens when an issue is found/fixed

cure53.de · mario@cure53.de way to rectify past security mistakes. In effect, three work packages (WPs) were delineated: • WP1: Thorough source code audit of the latest Dapr version • WP2: Penetration

stood at twenty person-days. To best address the objectives expressed by the Dapr team, two work packages (WPs) were outlined. In WP1, Cure53 performed both a broad and thorough source code audit of the