Document OSS vulnerability disclosure processes

ossf / wg-vulnerability-disclosures

The OpenSSF Vulnerability Disclosures Working Group seeks to help improve the overall security of the open source software ecosystem by helping mature and advocate well-managed vulnerability reporting and communication.

https://openssf.org

Apache License 2.0

175 stars 40 forks source link

Document OSS vulnerability disclosure processes #73

Open MarcinHoppe opened 3 years ago

MarcinHoppe commented 3 years ago

We've had several people present on OSS vulnerability disclosure processes in their organizations, but we haven't documented them outside of meeting notes. It would be great to document them as separate documents in this repo.

I was thinking about creating Markdown documents for:

[ ] Node.js Ecosystem (@MarcinHoppe)
[ ] Ruby (@reedloden)
[ ] Arch Linux (@Foxboron)
[ ] Red Hat (@RedHatCRob)

If I missed a presentation, please let me know!

SecurityCRob commented 3 years ago

I'm getting notes from the recent consult we did with the requested upstream project, but here is a historic blog we wrote as a suggested good practice for upstreams to follow around vuln. mgmt - https://access.redhat.com/blogs/766093/posts/1975833