-
Couldn't load subscription status.
- Fork 73
CY25 Q2 Vulnerability Disclosures WG TAC Update #483
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
Merged
Changes from all commits
Commits
Show all changes
4 commits
Select commit
Hold shift + click to select a range
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,33 @@ | ||
| # 2025 Q2 Vulnerability Disclosure WG - Madison Oliver | ||
|
|
||
| ## Overview | ||
| **Mission**: The OpenSSF Vulnerability Disclosures Working Group seeks to help improve the overall security of the open source software ecosystem by helping develop and advocate well-managed vulnerability reporting and communication. We serve open source maintainers and developers, assist security researchers, and help downstream open source software consumers. | ||
|
|
||
| Last WG TI update was [February 18, 2025](https://github.com/taladrane/tac/blob/main/TI-reports/2025/2025-Q1-Vulnerability-Disclosure-WG.md). TI is progressing as expected. Core attendance and engagement has continued to remain relatively stable. The Linux Foundation Member Summit and VulnCon 2025 have taken place since the last update and included presentations and followup discussion from the WG. | ||
|
|
||
| ## Vulnerability Dislosures Working Group | ||
|
|
||
| ### Purpose | ||
| The OpenSSF Vulnerability Disclosures Working Group seeks to help improve the overall security of the open source software ecosystem by helping mature and advocate well-managed vulnerability reporting and communication. | ||
|
|
||
| ### Current Status | ||
| - Typically have 9-14 attendees for full WG meeting, 3-5 attendees for APAC WG meeting. | ||
| - [Continuing Graduated WG status](https://github.com/ossf/tac/blob/main/process/working-group-lifecycle.md#to-become-graduated). | ||
| - WG and subprojects participating in, presented at, and subsequently discussed [VulnCon](https://openssf.org/blog/2025/04/14/key-takeaways-from-vulncon-2025-insights-from-the-openssf-community/) in-depth. A vulnerability identification workshop that included purl was held, and the OSV Project shared reflections from the project. VEX was a prominent topic at VulnCon, and it was mentioned that the VEX as an overarching spec is expected to get a new home and the CISA SBOM community was receptive to hosting VEX somewhere neutral. | ||
| - WG leads and a community member presented at the Linux Foundation Member Summit about open source vulnerabilities and how to bridge the gap between discovery and remediation. | ||
| - WG has discussed the CVE funding issues and is exploring additional solutions to better serve the open source community (https://github.com/ossf/wg-vulnerability-disclosures/issues/162, https://github.com/ossf/wg-vulnerability-disclosures/issues/163). We've also discussed the same concerns with the NVD and have discussed potential benefits of maintaining an NVD mirror. | ||
| - WG has discussed a [funding request](https://github.com/ossf/tac/issues/476) for a purl (package URL) proof-of-concept and training for the CVE Program. There was not enough WG support to pass at this time. | ||
| - Sub-project development: | ||
| - OSV Project > Working on the [OSV schema graduation application](https://github.com/ossf/tac/pull/456). | ||
| - OpenVEX SIG > Working on a PR to start the contribution of [vexflow](https://github.com/carabiner-dev/vexflow), a Go project that handles the lifecycle of VEX information for projects through GitHub issues, to the OpenVEX project. | ||
|
|
||
| ### Up Next | ||
| - WG Project Board: https://github.com/orgs/ossf/projects/29 | ||
| - [Review Security Baseline controls and how our project can help support them.](https://github.com/ossf/wg-vulnerability-disclosures/issues/165) | ||
| - Continue discussing [Global Vulnerability Database](https://github.com/ossf/wg-vulnerability-disclosures/issues/162) and [CVE risk, threats and safety net](https://github.com/ossf/wg-vulnerability-disclosures/issues/163). | ||
| - Complete OSV schema graduation application and donation of vexflow. | ||
| - Completing [Create an index/resources section in the readme](https://github.com/ossf/wg-vulnerability-disclosures/issues/151) & [List of vulnerability disclosure standards](https://github.com/ossf/wg-vulnerability-disclosures/issues/67) should be an easy win for the WG as well. | ||
| - [Project Idea - CVD Guide for OSS Consumers](https://github.com/ossf/wg-vulnerability-disclosures/issues/115) > effort is still stagnating and needs to be revived. | ||
|
|
||
| ### Questions/Issues for the TAC | ||
| - (Standing question) What other areas in the OpenSSF Roadmap does the TAC see opportunity for the Vulnerability Disclosures working group? | ||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In the Ecosystem Leader focus area of our 2025 roadmap, I think there may be an interesting opportunity for the VD WG to collaborate across foundations with the CoSAI supply chain workstream around Model Vuln standardization, if the group wasn't following this effort yet.