Skip to content
Permalink
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

Vulnerability Disclosures

GitHub Super-Linter

The OpenSSF Vulnerability Disclosures Working Group seeks to help improve the overall security of the open source software ecosystem by helping mature and advocate well-managed vulnerability reporting and communication.

Objective

The OpenSSF Vulnerability Disclosures Working Group seeks to help improve the overall security of the open source software ecosystem by helping develop and advocate well-managed vulnerability reporting and communication. We plan on addressing this challenge through the following actions:

  • Documenting and promoting reasonable vulnerability disclosure and coordination practices within the OSS ecosystem for component maintainers and community members by providing documented standards and educational materials.

  • Identifying vulnerability disclosure pain points for OSS maintainer, consumers, and security researchers and take steps to address them.

  • Facilitate the development and adoption of a standards-based OSS Vulnerability Exchange that uses existing industry formats and allows OSS projects of all sizes to be able to report, share, and learn about vulnerabilities within OSS components.

Current work

Get Involved

We communicate on the Vulnerability Disclosure mailing list. Manage your subscriptions to Open SSF mailing lists.

Join us on Slack at https://openssf.slack.com/messages/wg_vulnerability_disclosures

Meeting Times

The working group meets every two weeks, on Wednesdays at 11:00 AM ET / 8:00 AM PT. Currently we are using Zoom for working group meetings. The invite is available on the OpenSSF Community Calendar.

The Working Group will hold a monthly APAC-friendly call at 6:00pm ET / 3:00pm PT the last Thursday of each month. The invite is available on the OpenSSF Community Calendar.

Meeting Notes

Governance

We use the vulnerability-disclosures-wg GitHub team.

The CHARTER.md outlines the scope and governance of our group activities.

Project Maintainers

Project Collaborators

Project Contributors

  • Yotam Perkal, Rezilion
  • Eric Hatleback, CERT/CC
  • Kayla Underkoffler, HackerOne
  • Francis Perron, Google
  • Nathan Menhorn, AMD
  • Eric Tice, Wipro
  • MegaZone, F5
  • Jason Keirstead, IBM
  • Paulo Flabiano Smorigo, Ubuntu/Canonical
  • Jeffrey Borek, IBM
  • Jennifer Fernick, NCC Group
  • Sandipan Roy, RedHat
  • Yogesh Mittal, Red Hat

A listing of our current and past group members.

Antitrust policy

Linux Foundation meetings involve participation by industry competitors, and it is the intention of the Linux Foundation to conduct all of its activities in accordance with applicable antitrust and competition laws. It is therefore extremely important that attendees adhere to meeting agendas, and be aware of, and not participate in, any activities that are prohibited under applicable US state, federal or foreign antitrust and competition laws.

Examples of types of actions that are prohibited at Linux Foundation meetings and in connection with Linux Foundation activities are described in the Linux Foundation Antitrust Policy available at http://www.linuxfoundation.org/antitrust-policy. If you have questions about these matters, please contact your company counsel, or if you are a member of the Linux Foundation, feel free to contact Andrew Updegrove of the firm of Gesmer Updegrove LLP, which provides legal counsel to the Linux Foundation.