To enable swift progress and expected coverage of the ‘delta’, Cure53 could leverage access to sources, which are available on GitHub as OSS. In addition, a dedicated environment created by the Dapr team this work package, alongside the updated sources shared shortly before the audit ◦ Test-supporting material was made available for Cure53 ◦ All relevant sources were made available for Cure53 Cure53,

latest version of Dapr. The focus was explicitly placed on the Dapr main repository and the contained sources. Dapr also requested that particular attention is dedicated to finding logical flaws and deep-seated source software, the adopted methodology was clearly a white-box approach. Cure53 had access to sources, as well as received various test- supporting materials. The Dapr team clarified the threat filtering features, pub/sub mechanism implementations, authentication features and throttling. ◦ Sources ▪ Repository: • https://github.com/dapr/dapr.git ▪ Commit ID in scope: • 9cfdf3b3c838db17fb

Fixed: No Dapr has two cases of possible bypasses of a size checks of HTTP responses from untrusted sources: 1. Daprs external AppChannel 2. Daprs local AppChannel The vulnerable methods limit the size of