SecurityCRob
commented
3 years ago Cross-posting. This is valuable work that multiple stakeholders can benefit from. From the OpsnSSF Developer Best Practices WG (https://github.com/ossf/wg-best-practices-os-developers/issues/37)
As we frame our work and start to address user stories to improve OSS Development Best Practice, I am proposing several general and specific user personas in the development and vulnerability coordination processes. These items are informed by work the OpenSSF Vuln Disclosure WG is working on, work from the FIRST TPC WG and FIRST PSIRT Service Framework WG, and informed by upcoming changes in ISO/IEC29147 & 30111.
This is related to: ossf/wg-vulnerability-disclosures#91
General Personas: Maintainer - Creates and/or maintains software component Finder/Researcher - Finds and researches vulnerabilities Supplier - Supplies, supports, or repackages components Consumer - Consumes component directly or indirectly "Other" - [not fleshed out yet, but basically a category that includes Coordinators (like CERT/CC, JP-CERT, etc, or HackerOne et. al), Vulnerability Scanner Vendors, and Regulator] Supplies or Ingests information about component for consumers
Depending on the particular use case of community these personas are used with/in, we've also identified several more precise personas that may add value to a given user story or analysis. These all do not directly apply to the work or concerns of OSS maintainers, but are part of the real world ecosystem:
Specific Personas: Component Maintainer - person(s) that develop, maintain, or support a software component. This is representing the OpenSSF Vuln Coordination persona "Alice" Community Member - person(s) that support and/or work with the Maintainer (could be supporting function [quality engineering, peer reviewer, etc.]) Supplier PSIRT - Supplier product security team that monitors/assists with vulnerable components Supplier Developer - supplier developer that makes further changes to component for subsequent distribution. Could also be Component Maintainer or Community Member (strongly encouraged). This is representing the OpenSSF Vuln Coordination persona "Cherry" Consumer PSIRT - Product security team for organization/entity that is consuming upstream components (and that may or may not also supply them to entities further downstream) Consumer CSIRT - Corporate security team responsible for protecting organizational assets that would use upstream components. This is representing the OpenSSF Vuln Coordination persona "Finn" Consumer Developer - Developer that integrates or uses upstream component for organization Consumer Business Owner - The business owner of the service/capability using the upstream component This is representing the OpenSSF Vuln Coordination persona "Jacob" Consumer's Downstream - End-consumers of offerings the Consumer produces or support Coordinator - Group that assists in the coordination/facilitator of vulnerability remediation Vulnerability Scanner Vendor - Group that consumes vulnerability information to inform subscribers of threats/vulns Regulator - Government or Industry body that sets standards for constituents. Interested in vulnerability remediation of its constituents
There are several others, but most are not germane directly to the goals of this particular working group. I look forward to the group's thoughts and collaboration. OpenSSF Vuln & Dev Diagrams - Personas.pdf
When this is merged, it should resolve #80.