search

ossf / wg-vulnerability-disclosures

The OpenSSF Vulnerability Disclosures Working Group seeks to help improve the overall security of the open source software ecosystem by helping mature and advocate well-managed vulnerability reporting and communication.
https://openssf.org
Apache License 2.0
175 stars 40 forks source link

Vulnerability disclosure research #89

Closed rarkins closed 2 years ago

rarkins commented 3 years ago

Is this WG involved in any way in this upcoming vulnerability disclosure survey by GitHub?

image

rarkins commented 3 years ago

Tweet for context:

image

Foxboron commented 3 years ago

Nothing in the meetings at least.

MarcinHoppe commented 3 years ago

Not to my knowledge. I will reach out to Hauwa to check if there is any overlap.

HonkingGoose commented 2 years ago

I think I found something relevant in https://github.com/ossf/wg-vulnerability-disclosures/issues/99#issue-901314421, full quote:

The group would like to develop a CVD guide for OSS projects. The guide should include the CVD process, how to work with security researchers in a CVD setting, and templates for security policies (issue #95).

A fork of Google's CVD for OSS guide has been added here to give a starting base. Please open issues, PRs, and edit away!

The linked ossf/oss-vulnerability-guide repository has a section on Feedback:

Feedback

We welcome feedback from OSS project maintainers and security researchers on this guide. Opening a GitHub Issue is the best way to send feedback (see CONTRIBUTING.md for directions on submitting PRs).

So I think this is where you can contribute as a maintainer or security researcher.

I might be totally wrong though... 🙈 Just wanted to mention what I found, in case it's relevant.

rarkins commented 2 years ago

I think we can close this issue now. The answer appears to be that it was private research which GitHub performed for commercial purposes, not OSSF.