The OpenSSF Vulnerability Disclosures Working Group seeks to help improve the overall security of the open source software ecosystem by helping mature and advocate well-managed vulnerability reporting and communication.
The Vulnerability Disclosure Working group is officially a Graduated-level working group within the OpenSSF >
The OpenSSF Vulnerability Disclosures Working Group seeks to help improve the overall security of the open source software ecosystem by helping develop and advocate well-managed vulnerability reporting and communication. We serve open source maintainers and developers, assist security researchers, and help downstream open source software consumers.
A world where coordinated vulnerability disclosure is a normal, easy, and expected process that is supported by guidance, automation, and tooling for maintainers, consumers, researchers, and vendors, with the goal of making open source software and the open source software supply chain more secure for everyone.
A world where coordinated vulnerability disclosure is:
We plan on addressing this challenge through the following actions:
We communicate on the Vulnerability Disclosure mailing list. Manage your subscriptions to Open SSF mailing lists.
Join us on Slack at https://openssf.slack.com/messages/wg_vulnerability_disclosures
The working group meets every two weeks, on Wednesdays at 11:00 AM ET / 8:00 AM PT. Currently we are using Zoom for working group meetings. The invite is available on the OpenSSF Community Calendar.
The Working Group will hold a monthly APAC-friendly call at 6:00pm ET / 3:00pm PT the last Thursday of each month. The invite is available on the OpenSSF Community Calendar.
Effort | Meeting Times | Meeting Notes/Agenda | Git Repo | Slack Channel | Mailing List |
---|---|---|---|---|---|
Full WG | Every 2nd Wednesday 8:00a PT/11:00a ET/1500 UTC | Meeting Notes | Git Repo | Slack | Mailing List |
WG - APAC TZ | Occurs Last Thursday monthly 3:00p PT/6:00p ET/2200 UTC | Meeting Notes | Git Repo | Slack | Mailing List |
OSS-SIRT | Every 2nd Tuesday 6:00a PT/9:00a ET/1300 UTC | Meeting Notes | Git Repo | Slack | Mailing List |
OSV schema | TBD | [Meeting Notes]() | Git Repo | [Slack]() | [Mailing List]() |
OpenVEX | Every 2nd Monday 12:00p PT/3:00p ET/1900 UTC | Meeting Notes | Git Repo | Slack | Mailing List |
Vuln Autofix SIG | Occurs every 2nd Wednesday 1:00p PT/4:00p ET/2000 UTC | Meeting Notes | [Git Repo]() | Slack | Mailing List |
We use the vulnerability-disclosures-wg GitHub team.
The CHARTER.md outlines the scope and governance of our group activities.
A listing of our current and past group members.
Linux Foundation meetings involve participation by industry competitors, and it is the intention of the Linux Foundation to conduct all of its activities in accordance with applicable antitrust and competition laws. It is therefore extremely important that attendees adhere to meeting agendas, and be aware of, and not participate in, any activities that are prohibited under applicable US state, federal or foreign antitrust and competition laws.
Examples of types of actions that are prohibited at Linux Foundation meetings and in connection with Linux Foundation activities are described in the Linux Foundation Antitrust Policy available at http://www.linuxfoundation.org/antitrust-policy. If you have questions about these matters, please contact your company counsel, or if you are a member of the Linux Foundation, feel free to contact Andrew Updegrove of the firm of Gesmer Updegrove LLP, which provides legal counsel to the Linux Foundation.