Create GSD contribution guide

[kurtseifried]

Create GSD contribution guide

user stories/cases:

researcher/GSD user get 1 GSD ID get multiple GSD IDs get multiple GSD IDs over time update of 1, many, many over time GSD IDs how to mark as duplicate of another how to challenge/delete a GSD

dev how to get involved in GSD automation/tooling/consumption tools/schema validators/etc.

other stories/use cases?

[TheFoxAtWork]

1. User wants to look up/add/correlate multiple identifiers for the same object (Snyk ID, v. CVE, v. other vendor ID)
2. User wants to subscribe/unsubscribe from GSD notices on a particular keyword or component
3. User wants to link articles/posts around breaches/exploits of a known vuln (potential auto updated from RSS filtering?) (mark links as useful not useful or dead)

[mathrock]

Since the success of the Global Security Database (GSD) is heavily based on getting user buy-in and contribution, users need to see how it can solve problems for which they don’t currently have solutions.

I think it should be clearer what current problems are initially in-scope to be solved by GSD, which from what I understand fall under the following two main categories:

• Creating new identifiers for use-cases outside the current CVE/NVD scope
  • OSV Linux Kernel vulnerabilities
  • Assigning identifiers to Cloud Service Providers issues (https://blog.wiz.io/security-industry-call-to-action-we-need-a-cloud-vulnerability-database/)
  • Others
• Crowdsourcing enrichment or corrections to existing vulnerability data
  • Correcting typos (Zabbix vs Zabbiz)
  • Correcting scoring/severity issues
  • Mapping vulnerability identifiers
    • GSD -> CVE -> Vendor identifiers like RHSA, USN, etc
    • GSD -> CVE -> Third-party vulnerability identifiers like GHSA, Snyk, VulnDB, etc
  • Additional crowdsourced vulnerability data enrichment:
    • Links to exploits, research, etc

This is not to suggest that I'm recommending limiting the scope, just focusing on some core use cases so that hopefully others will be encouraged to contribute and grow the community.

[joshbressers]

I think starting with a highly constrained scope is a good idea

[ThatOhGi]

Hey everybody, I'm new to open source and dev, I've been looking for a project to support since October but nothing really jumped out at me until this one. Sorry if this isn't the place for an intro but I wanted to share my experience level and manage expectations. I'm excited about this project for two reasons, one it is still young enough I feel confident jumping in without being overwhelmed and secondly who doesn't love staying up-to-date with the most current CVEs!

I'm not sure what expertise I can lend to the project but I'm happy to help with documentation and yak shaving. If there is something specific to focus on I'm happy to dig in.

[joshbressers]

Hi @ThatOhGi

Welcome aboard!

This isn't the best place to have a discussion. Can you subscribe to the mailing list and basically copy and paste your message there? https://groups.google.com/a/groups.cloudsecurityalliance.org/g/gsd

I know it's scary to start a new post sometimes but I promise your mail will be most welcome!

[joshbuker]

Putting this link in the first place I looked: https://github.com/cloudsecurityalliance/gsd-database/blob/draft-docs/CONTRIBUTOR.md

Still working on fleshing this out in such a way that it's easy to follow and concise.

[joshbuker]

It appears this can be done at the organization level: https://docs.github.com/en/communities/setting-up-your-project-for-healthy-contributions/creating-a-default-community-health-file#supported-file-types

[joshbuker]

Ruby on Rails CONTRIBUTING.md example: https://github.com/rails/rails/blob/main/CONTRIBUTING.md