OpenVEX SIG

The OpenSSF's OpenVEX Special Interest Group (SIG) is a group dedicated to the transparent sharing of vulnerability data through open formats, like VEX, so that participatants throughout the open source software supply chain have clear signals and better understanding of the impact of security vulnerabilities to the software and components they produce, depend upon, consumer, and deliver.

The group has two primary foci:

• The maintenance and upkeep of the OpenVEX spec and tooling
• Promotion of sharing of vulnerability infomration through formats such as VEX, evangelization and support transmitting VEX information throughout the open source ecosystem, working with industry groups, standards bodies, and tooling projects to promote universal use of VEX as a means to communicate affectedness of software to vulnerabilities.

Motivation

[Background / use cases of the problem to be solved]

Objective

[What is to be achieved with this initiative]

[OKRs - OPTIONAL]

Scope

[What is in and out of scope]

Prior Work

• List of prior and/or related projects

Get Involved

• Official communications occur on the [OpenVEX SIG Mailing List] (https://lists.openssf.org/g/openssf-sig-openvex). Manage your subscriptions to Open SSF mailing lists.
• Slack Channel #openssf-sig-openvex

Quick Start

• Areas that need contributions
  • Contributions to the OpenVEX spec or vexctl
  • Participation in evangelizing VEX as a means to share affecteness of software to vulnerabilities
  • Participation in industry groups supporting VEX and SBOM
• Where to file issues

Meeting Times

The OpenVEX Community meets every other Monday at 12:00 PDT / 21:00 CET. Our meetings are listed on the OpenSSF's Public Calendar. We alternate between a community/advocacy call and a technical call, all are welcome to both!

• Zoom Link: https://zoom.us/j/99998407618
• Meeting Minutes

Governance

[TODO: Update this link to your specific CHARTER.md file] The CHARTER.md outlines the scope and governance of our group activities.

Team Members

• Technical Lead name - Adolfo García Veytia (aka puerco)
• Evangelism Lead name - Jay White

SIG Maintainers

• Adolfo García Veytia, Chainguard
• Christopher "CRob" Robinson, Intel
• Jay White, Microsoft

SIG Collaborators

• Rose Judge, VMWare
• Art Manion, ANALYGENCE
• Isaac Hepworth, Google
• Madison Oliver, GitHub
• Yotam Perkal, Rezilion
• Alex Goodman, Anchore

SIG Contributors

• Brandon Mitchell, IBM

Intellectual Property

In accordance with the OpenSSF Charter (PDF), work produced by this group is licensed as follows:

[TODO: Select below the applicable license(s), delete those that don't apply, and update the LICENSE file accordingly. For specification development refer to the specific instructions on the Community Specification Getting Started page.

Note that for source code, instead of Apache, you may choose to use the MIT License available at https://opensource.org/licenses/MIT. Otherwise, no other license than those listed here may be used without approval from the Governing Board.]

1. Software source code

• Apache License, Version 2.0, available at https://www.apache.org/licenses/LICENSE-2.0;

2. Data

• Any of the Community Data License Agreements, available at https://www.cdla.io;

3. Specifications

• Community Specification License, Version 1.0, available at https://github.com/CommunitySpecification/1.0

4. All other Documentation

• Creative Commons Attribution 4.0 International License, available at https://creativecommons.org/licenses/by/4.0/