Vulnerability Disclosures
Our vision is an open source software ecosystem where the time to fix a vulnerability and deploy that fix across the ecosystem is measured in minutes, not months.
Objectives and Key Results (CY 2020)
The first objectives we're using to track our progress towards that vision are:
- Create a unified format and API for vulnerability reporting (from researchers to maintainers) and drive broad adoption of it across the open source software ecosystem
- Create a unified format, API, and process for coordinated disclosure (from maintainers to users/the world) and drive broad adoption
Outputs
- Unified list of metadata for vulnerability reports and disclosures
- Meeting notes are in this repository
Governance
The CHARTER.md outlines the scope and governance of our group activities.
Meeting times
Every third Monday at 7am Pacific. Contact Marcin for calendar details.
Who is in this Working Group?
- Leader: Marcin Hoppe (Auth0 / Node.js Ecosystem Security WG)
- Alex Mullans (GitHub)
- Nico Waisman (GitHub)
- Eva Sarafianou (Auth0)
- Crystal Hazen (HackerOne)
- Alex Rice (HackerOne)
- Eric Brewer (Google)
- Steve Dower (Microsoft/CPython)
- Hauwa Otori (GitHub)
- Lindsey Glovin (Uber)
- Sherif Mansour (OWASP)
- Martijn Russchen (HackerOne)
- Ben Willis (HackerOne)
We use the vulnerability-disclosures-wg GitHub team.