SecurityCRob
commented
1 year ago Hey team - I've collected/summarized/augmented the existing comments around our WG MVSR into a "TL/DR" section at the bottom. Feedback please: https://docs.google.com/document/d/1p83YgnkT9YJLMQoppQx9KyMbRzYqO-ALb4TrmhTh1q0/edit#heading=h.gsvl7u67k2k
Feedback requested
excerpt here: TL/DR Vuln Disc MVSR
Proposed Mission: The OpenSSF Vulnerability Disclosures Working Group seeks to help improve the overall security of the open source software ecosystem by helping develop and advocate well-managed vulnerability reporting and communication. We serve open source maintainers and developers, assist security researchers, and help downstream open source software consumers.
Proposed Vision: A world where coordinated vulnerability disclosure is a normal and expected process that is supported by well-documented processes, secure tooling, and mature vendors, researchers, and maintainers, in order to make open source software and the open source software supply chain a safer place for everyone. Proposed Strategy: We plan on addressing this challenge through the following actions:
- Documenting and promoting reasonable vulnerability disclosure and coordination practices within the OSS ecosystem for component maintainers and community members by providing documented standards and educational materials.
- Identifying vulnerability disclosure pain points for OSS maintainer, consumers, and security researchers and taking steps to address them.
- Facilitate the development and adoption of a standards-based OSS Vulnerability Exchange that uses existing industry formats and allows OSS projects of all sizes to be able to report, share, and learn about vulnerabilities within OSS components.
Proposed Roadmap:
- Evangelize artifacts and tooling from the group through podcasts, conference presentations, blogs, etc. for things like the CVD guides, OSV, OpenVEX, & autofix sig
- Podcasts
- Blogs
- Conferences
- Open office hours to interact with Open Source project managers and help them.
- Expand use of VEX by upstream projects through the advocacy and use of VEX and VEX-creation tools (such as OpenVEX). Issuance of VEX documents upstream helps the whole ecosystem understand what is needed and how to effectively execute, providing critical vuln affectedness data to downstream consumers so they can understand how to incorporate with other vuln info (CSAF, OSV, SBOM, etc).
- Increase awareness and use of CVD guides, techniques and tools
- Increase the awareness and use of OSV
- Participate in forthcoming industry “VulnCon” to share OSS vuln mgmt perspectives with broad PSIRT/CSIRT/CERT ecosystem
- Support industry-wide vuln coordination efforts with good practices identified by the OSS-SIRT SIG
- Provide guidance, documentation, and templates to the OpenSSF for use as security policies and vulnerability management processes (security.md, vuln disclosure policy, etc.)
- Something something Autofix
MVSR (Mission, Vision, Strategy, Roadmap)[1] is a tool that helps provide a consistent way of expressing our goals and efforts across the foundation. All working groups have been asked to express themselves using this format which should also help the group plan for future work/projects. All are welcome to participate, I've created a copy[2] of the template for our group to use in this exercise. I've provided an example of how an MVSR could look from the Security Toolbelt group[3] for reference.
[1] - https://docs.google.com/document/d/1p6hOlE4eH1xvQ9pP7swCH2tmIJJ-6G3vnYI8MDzSCQk/edit [2] - https://docs.google.com/document/d/1p83YgnkT9YJLMQoppQx9KyMbRzYqO-ALb4TrmhTh1q0/edit [3] - https://github.com/ossf/Diagrammers-Society/tree/main/SecurityToolbelt