Generate an OSSF-wide glossary and definition list for terms used across the WGs and SIGs

[u269c]

As it was brought up in our weekly Vuln WG sync - see 2022-JUL-27's notes - we would like to ask for the Education WG to take this on.

The idea here would be to:

• [ ] Create a shared, agreed language definition for all infosec-related terminology for all WGs
• [ ] offer this list in a fairly public fashion (GH, site, t-shirt?) for the communities to access easily

The benefits here will be clear, but include:

• shared language mean we can avoid confusion between the different WGs and SIGs documents
• reduce complexity of said documents by avoiding duplication of words
• help position the openssf w.r.t. some words

Thank you,

[vmbrasseur]

From the 2022-08-31 BEST SIG call:

• [CRob] Issue 11 proposed by Vuln Disclosure group for this team to take ownership of (Dictionary of terms for the whole Foundation):
  • https://github.com/ossf/education/issues/11
  • CVD Guide for Finders glossary
  • Existing info (that we know of):
    • https://github.com/cncf/tag-security/blob/main/security-lexicon/cloud-native-security-lexicon.md
    • https://glossary.cncf.io/
    • https://niccs.cisa.gov/cybersecurity-career-resources/glossary
  • This will require participation and contributions for all of the OSSF groups; we should open source existing definitions from other places and cite them
  • There may also be occasion to provide additional details as it pertains specifically to open source or supply chains
  • DECISION: 12 votes to take it on
  • @CRob will put something in the git repo and talk with the TAC
    • Will this document be required to go through TAC approval?
    • No, we will get initial approval to work on it, after that we can manage it as we see fit; any funding does need to go through the TAC process

[SecurityCRob]

created https://github.com/ossf/education/tree/main/terminology to begin work. Will reach out to TAC and broader OSSF for contributions

[TheFoxAtWork]

There is an existing glossary/lexicon on terminology with resource that CNCF Security TAG started a while ago, it has a lot of terms in it, not sure how much is transferrable for this: https://github.com/cncf/tag-security/blob/main/security-lexicon/cloud-native-security-lexicon.md

[caniszczyk]

If OpenSSF wanted to leverage https://glossary.cncf.io and the code behind it https://github.com/cncf/glossary that can be one option.

On Wed, Nov 16, 2022 at 2:20 PM Emily Fox @.***> wrote:

There is an existing glossary/lexicon on terminology with resource that CNCF Security TAG started a while ago, it has a lot of terms in it, not sure how much is transferrable for this: https://github.com/cncf/tag-security/blob/main/security-lexicon/cloud-native-security-lexicon.md

— Reply to this email directly, view it on GitHub https://github.com/ossf/education/issues/11#issuecomment-1317097128, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAAPSIIRKBUZBL5RGABY553WITURPANCNFSM57QDVQYQ . You are receiving this because you are subscribed to this thread.Message ID: @.***>

-- Cheers,

Chris Aniszczyk https://aniszczyk.org