- Marcin Hoppe (Auth0 / Node.js Ecosystem Security WG)
- Eva Sarafianou (Auth0 / Node.js Ecosystem Security WG)
- Crystal Hazen (HackerOne)
- Alex Rice (HackerOne)
- Steve Dower (Microsoft/CPython)
- Lindsey Glovin (Uber)
- Sherif Mansour (OWASP)
- Martijn Russchen (HackerOne)
- Ben Willis (HackerOne)
- Jason Keirstead (IBM Security)
- Pete Allor (Red Hat)
- Josh Bressers (Elastic)
- CRob [Red Hat]
- Reed Loden (HackerOne)
- Anne Bertucio (Google)
- Morten Linderud (Arch Linux)
- Gilles Gravier (Wipro)
- Dan Lorenc (Google)
- Claudio Criscione (Google)
- Matthew Dressman (Microsoft)
- Eduardo Barretto (Ubuntu/Canonical)
- Marcus Meissner (SUSE)
- David A. Wheeler (Linux Foundation)
- Morten Linderud (Arch Linux)
- Paulo Flabiano Smorigo (Ubuntu/Canonical)
- Welcome new members
- Working group governance topics
- Mailing list
- Martin Prpic from Red Hat Product Security to come talk about CSAF and other industry data format efforts
- Consideration of CERT/CC's VINCE platform as a possible mechanism for vulnerability information sharing.
- Discussion around vision and mission for this WG
- Pull-request: #52
No youtube recording of this session.
- Welcome new members
- Nicole Schwartz (@NicoleSchwartz)
- Rimas Mocevicius
- David A Wheeler?
- Matt Wilson
- ?
- Amit Elazari
- Intro of existing members
- Working group governance topics:
- Mailing list: https://lists.openssf.org/g/openssf-wg-vul-disclosures
- Martin Prpic from Red Hat Product Security to come talk about CSAF and other industry data format efforts
- At the core of all projects - CVE is headed by MITRE in order to issue IDs
- MITRE wants to assign things [CVE reservation process] in a more automated fashion so they can move quicker - there are sub level CNAs who also assign numbers.
- MITRE also wants to be able to share CVE in a json format - which can also act as an API to query CVE data. They are looking at ways to add tagging and text. This is a draft schema.
- CSAF - a way to represent in machine readable format - a continuation of another format - it’s now converted XML to json. Overall the Schema remains the same. This is lead by the OASIS group. This is a heavy format, and it is over 15 years old. They are a standards body with less industry experience. Their repo: https://github.com/oasis-tcs/csaf
- Those familiar with CVRF 1.2 might be interested in a list of changes from 1.2 to 2.0: oasis-tcs/csaf#127
- Question: How in-sync are OASIS and MITRE?
- Answer: They are intended to cover two different scopes. A CVE will need to go into different remediations for each circumstance. It is supposed to cover everything. The OASIS is supposed to be an advisory that tells you a way to fix an issue, which doesn’t need to be a cve. It’s a subset of the data. For example it may not talk about windows specific things. There is some duplication but he doesn’t feel they are competing.
- CSAF is a vendor reporting issue to your users, and it might reference a CVE. You might create 100 CSAF for 1 CVE
- CVE you list known impacted software and versions. The CSAF instead talks about the relationship between the product and the vulnerability.
- Consideration of CERT/CC's VINCE platform as a possible mechanism for vuln. info sharing
- Future meeting will look to have them come talk about it. They currently need help open-sourcing it. @CRob to get an invite out to Art+team to come talk to us about VINCE
- Discussion around vision and mission for this WG (PR)
- Comments; Include vulnerability reporter/finders, mention encouraging automation, vendors are going to need to coordinate disclosures - making sure all those stakeholders can work together using the existing standards
- Amit: one thing that comes up next will be scoping, identifying owners and what is first is important
- Questions: what was the exchange? Answer: Unknown. Wording changes suggested
- Proposed changes for WG Goals (all on call agreed):
- Identifying vulnerability disclosure pain points for OSS maintainers, consumers, and reporter/finders and take steps to address them through techniques liike automation and standardized data formats.
- Documenting and promoting reasonable vulnerability disclosure and coordination practices within the OSS ecosystem for component maintainers and community members by providing documented standards and educational materials.
- Facilitate the development and adoption of standards-based OSS Vulnerability information that uses existing industry formats. and allows OSS projects of all sizes to be able to report, share, and learn about vulnerabilities within OSS components.
- @CRob to get an invite out to Art+team to come talk to us about VINCE
- Propose changes for working group goals