The OpenSSF Vulnerability Disclosures Working Group seeks to help improve the overall security of the open source software ecosystem by helping mature and advocate well-managed vulnerability reporting and communication.
In our October 18 2021 WG meeting, I raised the question of "where do open-source projects turn in the event of a security crisis or emergency?" Here, security emergency could include, for example:
the project is under active attack by a threat actor
belief that their systems/project/build pipelines may have been compromised
discovery or receipt of a report of a vulnerability that they do not know how to patch
belief that a vulnerability in a project may be currently being exploited in the wild
high-impact vulnerability in project requires substantial coordination with affected downstream projects to mitigate damage
This is especially important when the affected project/individual does not know where to turn or who to trust for initial advice. Often, peoples' network strongly determines the support they are able to access in the event of a security crisis, which is inequitable; much of the basic information about how to deal with these scenarios is not (to our knowledge) documented
Discussion resulted in us determining that:
this is not a solved problem / there's no place specifically for these projects to turn, currently
we may eventually wish to coordinate such a lifeline service
a meaningful first step could be collect some guidance about what to do in a security emergency, to provide some initial trusted guidance for projects encountering these challenges
Prior to starting a repo for documenting such a guide, we decided to discuss via GitHub issue the scope of the problem and what an effective guide etc could look like.
In our October 18 2021 WG meeting, I raised the question of "where do open-source projects turn in the event of a security crisis or emergency?" Here, security emergency could include, for example:
This is especially important when the affected project/individual does not know where to turn or who to trust for initial advice. Often, peoples' network strongly determines the support they are able to access in the event of a security crisis, which is inequitable; much of the basic information about how to deal with these scenarios is not (to our knowledge) documented
Discussion resulted in us determining that:
Prior to starting a repo for documenting such a guide, we decided to discuss via GitHub issue the scope of the problem and what an effective guide etc could look like.