Vulnerability Disclosures
Our vision is an open source software ecosystem where the time to fix a vulnerability and deploy that fix across the ecosystem is measured in minutes, not months.
Objectives and Key Results (CY 2020)
The first objectives we're using to track our progress towards that vision are:
- Create a unified format and API for vulnerability reporting (from researchers to maintainers) and drive broad adoption of it across the open source software ecosystem
- Create a unified format, API, and process for coordinated disclosure (from maintainers to users/the world) and drive broad adoption
Outputs
- Unified list of metadata for vulnerability reports and disclosures
- Meeting notes are in this repository
Governance
The CHARTER.md outlines the scope and governance of our group activities.
Meetings
Schedule
The working group meets every three weeks, on Monday at 7am Pacific. Currently we are using Zoom for working group meetings. The invite is available on the OpenSSF Community Calendar.
Contact Marcin if you wish to be added to the invite list.
Agenda
Meeting agenda is published prior to the meeting in a GitHub issue with the label meeting. The issue contains agenda items and logistics details like date, time, Zoom link and a link to meeting notes document.
Who is in this Working Group?
- Leader: Marcin Hoppe (Auth0 / Node.js Ecosystem Security WG)
- Alex Mullans (GitHub)
- Nico Waisman (GitHub)
- Eva Sarafianou (Auth0)
- Crystal Hazen (HackerOne)
- Alex Rice (HackerOne)
- Eric Brewer (Google)
- Steve Dower (Microsoft/CPython)
- Hauwa Otori (GitHub)
- Lindsey Glovin (Uber)
- Sherif Mansour (OWASP)
- Martijn Russchen (HackerOne)
- Ben Willis (HackerOne)
- Reed Loden (HackerOne)
- Marcus Meissner (SUSE)
- Matthew Dressman (Microsoft)
- Morten Linderud (Arch Linux)
- Josh Bressers (Elastic)
- Gilles Gravier (Wipro)
We use the vulnerability-disclosures-wg GitHub team.