Malware Triage Volunteer Opportunities?

Hi folks! New around here so please forgive any misunderstandings :slightly_smiling_face:

I was looking through warehouse on GitHub and PyPA documentation about individual membership, and it looks like most of the time people join PyPA projects by becoming a maintainer. Are there other ways to get involved with PyPI, such as volunteering specifically to help triage external reports (ex. malware on PyPI, typosquatting, etc.)? I’d love to help out where I can!

Hey Chris, thanks for your interest.

Right now, the reporting process for malware on PyPI is to essentially email the PyPI admins, and right now the admins review every report. Even if we had triagers, we’d probably want to continue doing this to ensure we aren’t removing false positives. Additionally, almost all reports are valid, so triaging wouldn’t really cut down on the number of reports we have to process.

That said, if you’re interested in contributing to the effort to reduce malware and improve response times to reports, working on steps towards improving our reporting infrastructure would probably be the most impactful, or even working on making the code introspection tool that reporters use more useful.

Happy to support any of those efforts if you’re interested in getting started!

Totally agreed that a security triage desk that forwards vast-majority-valid reports up to administrators would not be adding value!

But I’m more approaching this from the perspective of: if someone put in the work to become a reliable and trusted malware reporter, would there be space at the administrator table for them to help with security related tasks? Ideally so maintainers can focus on maintaining & building new stuff, instead of sifting through abuse reports. I love digging through malware much more than I love writing code, personally!

Though do note that this is not a “please gib admin, I can be trusted, definitely not evil” post - I’m just wondering if the ownership model allows for that currently, or if the ‘only’ way in is through becoming a maintainer. Y’all are getting malware reports from me anyway - five packages and counting! - so it’s just a “wondering for the future” thing :slight_smile:

Not quite the answer to your question, but given that we already have a strong pool of malware reporters (and there’s a lot of overlap between their reports) I could see implementing a policy that a given project could be taken down automatically if N unique (and uniquely-affiliated) reporters all report it, which would speed up takedowns and reduce burden without reporters having to do more work.

(Worth noting that right now, there’s also no good way for us to provide differentiated permissions for “can remove malware” and “can remove anything on PyPI”, so what you’re asking for is essentially the latter, which we tend to be careful with :wink:)