Add information about Verification of Findings initiative

ossf / wg-security-tooling

OpenSSF Security Tooling Working Group

https://openssf.org

Apache License 2.0

295 stars 52 forks source link

Add information about Verification of Findings initiative #19

Closed fcanogab closed 2 years ago

fcanogab commented 3 years ago

Information about the Verification of Findings initiative.
First version of guidelines to be reviewed before reporting a vulnerability to an open source project.

coderpatros commented 3 years ago

Maybe a recommendation that creating a public github issue is perhaps not the best way to report a vulnerability? And that you should check for a security policy or another channel to responsibly disclose?

(but maybe that isn't in scope for the verification of findings initiative)

david-a-wheeler commented 3 years ago

This looks like it overlaps with the OpenSSF Vulnerability Disclosures WG: https://github.com/ossf/wg-vulnerability-disclosures - I recommend coordinating with them.

david-a-wheeler commented 3 years ago

Also: If it's an OSS project, in many cases OSS projects expect source code changes.

david-a-wheeler commented 3 years ago

At the least, reproducibility is a minimum bar; without that, it's impossible to determine if it's there or if it's fixed.

ware commented 3 years ago

I'd like to discuss where we are with this discussion at the WG meeting this week.

fcanogab commented 3 years ago

@ware we talked that it was probably better to include this in the Vulnerability Disclosure WG and in that group they thought this has not got enough significance to be a project by itself. I think we can close this issue.