Vulnerability disclosures WG meeting 10/5/2020

[MarcinHoppe]

Time

Monday October 5th, 2020 7:00 AM Pacific

Links

• Zoom link: https://auth0.zoom.us/j/96101652486?pwd=SXNJaE1yK1hGd0ZaRHJZQW1RZG4zdz09

The invite is also available on the OpenSSF Community Calendar.

Agenda

• Welcome new members
  • Nicole Schwartz (@NicoleSchwartz)
• Working group governance topics:
  • Mailing list: https://lists.openssf.org/g/openssf-wg-vul-disclosures
• Martin Prpic from Red Hat Product Security to come talk about CSAF and other industry data format efforts
• Consideration of CERT/CC's VINCE platform as a possible mechanism for vuln. info sharing
• Discussion around vision and mission for this WG (#52)

Notes

• Google Doc with meeting minutes

[SecurityCRob]

New Agenda Item - Martin Prpic from Red Hat Product Security to come talk about CSAF and other industry data format efforts

[SecurityCRob]

New Agenda Item - Consideration of CERT/CC's VINCE platform as a possible mechanism for vuln. info sharing - https://kb.cert.org/vince/ https://www.sei.cmu.edu/news-events/news/article.cfm?assetid=641759

If we'd like to hear more, we can invite Art Manion & crew to come talk to us

The FIRST PSIRT SIG is endorsing open sourcing VINCE and supporting this tool. [edited to add additional URL for information]

[MarcinHoppe]

@RedHatCRob I added this to the agenda for Monday if this is something you want to discuss with the WG.

[MarcinHoppe]

I won't be able to attend the meeting today, but @RedHatCRob was kind enough to offer running the meeting today.

[SecurityCRob]

OK, today the group discussed our desired goals for the WG and endorsed the following:

1.) Identifying vulnerability disclosure pain points for OSS maintainers, consumers, and reporter/finders and take steps to address them through techniques like automation and standardized data formats.

2.) Documenting and promoting reasonable vulnerability disclosure and coordination practices within the OSS ecosystem for component maintainers and community members by providing documented standards and educational materials.

3.) Facilitate the development and adoption of standards-based OSS Vulnerability information that uses existing industry formats. and allows OSS projects of all sizes to be able to report, share, and learn about vulnerabilities within OSS components.

[Foxboron]

Hm, was the meeting recorded? I realized afterwards it wasn't declared as such.

[SecurityCRob]

Hm, was the meeting recorded? I realized afterwards it wasn't declared as such.

Arrg! Sorry all, I forgot to press the button. We did take notes in the gdoc (my hat is off to whomever paid such excellent attention & captured everything so well) - https://docs.google.com/document/d/1VAx4crIxhfHExTlUaGlcocYgB7pHfP2Eq8INYBZkqPM/edit?usp=sharing

[Foxboron]

No problem :) It might be a good idea to have that as a standard note in the agenda for future meetings so we don't forget.

[rimusz]

No problem :) It might be a good idea to have that as a standard note in the agenda for future meetings so we don't forget.

+1

[NicoleSchwartz]

I grabbed a lot of the notes, sorry for anything I missed - if we're using zoom perhaps we could use otter.ai next time to grab live transcription? (That's how i tend to do my D&D games)

Nicole Schwartz (She/Her) amazonv@gmail.com

On Mon, Oct 5, 2020 at 9:34 AM Rimas Mocevicius notifications@github.com wrote:

No problem :) It might be a good idea to have that as a standard note in the agenda for future meetings so we don't forget.

+1

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/ossf/wg-vulnerability-disclosures/issues/51#issuecomment-703710672, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAQBUWO42IFCHOXG7MMWNVDSJHRQNANCNFSM4R64RSAA .

[MarcinHoppe]

Great notes! Thank you so much for taking them.

I will open a PR to store those notes here in this repo before we close this issue.