Specification: OpenSSF Compliant Automated Vulnerability Fix Campaign

ossf / wg-vulnerability-disclosures

The OpenSSF Vulnerability Disclosures Working Group seeks to help improve the overall security of the open source software ecosystem by helping mature and advocate well-managed vulnerability reporting and communication.

https://openssf.org

Apache License 2.0

175 stars 40 forks source link

Specification: OpenSSF Compliant Automated Vulnerability Fix Campaign #124

Open JLLeitschuh opened 1 year ago

JLLeitschuh commented 1 year ago

The following proposed specification is up for review:

https://docs.google.com/document/d/1_QwN7yQXWGM2tJaostIRNqyZIhVceVlIyXqCrSdC4E8

pdxjohnny commented 1 year ago

Have been working on an aligned RFC (still WIP) over here: https://github.com/ietf-scitt/use-cases/pull/18

Seems like transparency services will be where we log the end assessment of is vuln/is not vuln

References
- 2022-07-20 Identifying Security Threats WG
- https://github.com/ossf/s2c2f/blob/main/specification/framework.md#appendix-relation-to-scitt