Package Vulnerability Management & Reporting Collaboration Space
Mission Statement
Today maintainers deal with a significant influx of issues, PRs (re. updating dependencies) & broader comms when a new CVE is reported on a popular library in our ecosystem. Many of these are being considered "false positives" from an impact/vulnerability perspective. This level of noise creates distrust in the relationships between security companies/researchers, maintainers, & the collective end-users/consumers.
By creating a neutral forum to discuss & ideate across this ecosystem's stakeholders, we hope to improve CVE reporting & resolution workflows; Minimizing burden on maintainers & noise for consumers.
Examples of desired or successful outcomes from this discourse/space:
- Improved delineation of domains & controls
- Improved communication between maintainers & security researchers/organizations
- Improved tooling for package auditing, resolution & management as a whole
- ex. package maintainers have a mechanism to flag/counterclaim vulnerability reports of dependencies that do not affect their own usage/workflows
- ex. end-users have a mechanism to more granularly control the visibility of the vulnerability reports of their dependencies (including filtering on flags/counterclaims)
Collaboration Space Members
In-Flight Intiatives
- [x] Submit & get accepted a proposal for dedicated Collaboration Space
- [x] Creation of a dedicated repository within the openjs-foundation GitHub Organization
- [x] Creation of a channel within the Foundation's Slack Organization
- [ ] Determine a time for recurring meetings w/ members
- [ ] Setup meeting generation tools to align with existing Foundation best practices
- [ ] Setup Foundation's Zoom & YouTube accounts for streaming
Links & Resources