Skip to content
Permalink
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

Participants

  • Marcin Hoppe (Auth0 / Node.js Ecosystem Security WG)
  • Eva Sarafianou (Auth0 / Node.js Ecosystem Security WG)
  • Crystal Hazen (HackerOne)
  • Alex Rice (HackerOne)
  • Steve Dower (Microsoft/CPython)
  • Lindsey Glovin (Uber)
  • Sherif Mansour (OWASP)
  • Martijn Russchen (HackerOne)
  • Ben Willis (HackerOne)
  • Jason Keirstead (IBM Security)
  • Pete Allor (Red Hat)
  • Josh Bressers (Elastic)
  • CRob [Red Hat]
  • Reed Loden (HackerOne)
  • Anne Bertucio (Google)
  • Morten Linderud (Arch Linux)
  • Gilles Gravier (Wipro)
  • Dan Lorenc (Google)
  • Claudio Criscione (Google)
  • Matthew Dressman (Microsoft)
  • Eduardo Barretto (Ubuntu/Canonical)
  • Marcus Meissner (SUSE)
  • David A. Wheeler (Linux Foundation)
  • Morten Linderud (Arch Linux)
  • Paulo Flabiano Smorigo (Ubuntu/Canonical)

Agenda & notes

  • Welcome new members
  • Working group governance topics
    • Mailing list
  • Martin Prpic from Red Hat Product Security to come talk about CSAF and other industry data format efforts
  • Consideration of CERT/CC's VINCE platform as a possible mechanism for vulnerability information sharing.
  • Discussion around vision and mission for this WG
    • Pull-request: #52

Video recording

No youtube recording of this session.

Meeting minutes

  • Welcome new members
    • Nicole Schwartz (@NicoleSchwartz)
    • Rimas Mocevicius
    • David A Wheeler?
    • Matt Wilson
    • ?
    • Amit Elazari
    • Intro of existing members
  • Working group governance topics:
  • Martin Prpic from Red Hat Product Security to come talk about CSAF and other industry data format efforts
    • At the core of all projects - CVE is headed by MITRE in order to issue IDs
    • MITRE wants to assign things [CVE reservation process] in a more automated fashion so they can move quicker - there are sub level CNAs who also assign numbers.
    • MITRE also wants to be able to share CVE in a json format - which can also act as an API to query CVE data. They are looking at ways to add tagging and text. This is a draft schema.
    • CSAF - a way to represent in machine readable format - a continuation of another format - it’s now converted XML to json. Overall the Schema remains the same. This is lead by the OASIS group. This is a heavy format, and it is over 15 years old. They are a standards body with less industry experience. Their repo: https://github.com/oasis-tcs/csaf
      • Those familiar with CVRF 1.2 might be interested in a list of changes from 1.2 to 2.0: oasis-tcs/csaf#127
    • Question: How in-sync are OASIS and MITRE?
      • Answer: They are intended to cover two different scopes. A CVE will need to go into different remediations for each circumstance. It is supposed to cover everything. The OASIS is supposed to be an advisory that tells you a way to fix an issue, which doesn’t need to be a cve. It’s a subset of the data. For example it may not talk about windows specific things. There is some duplication but he doesn’t feel they are competing.
      • CSAF is a vendor reporting issue to your users, and it might reference a CVE. You might create 100 CSAF for 1 CVE
      • CVE you list known impacted software and versions. The CSAF instead talks about the relationship between the product and the vulnerability.
  • Consideration of CERT/CC's VINCE platform as a possible mechanism for vuln. info sharing
    • Future meeting will look to have them come talk about it. They currently need help open-sourcing it. @CRob to get an invite out to Art+team to come talk to us about VINCE
  • Discussion around vision and mission for this WG (PR)
    • Comments; Include vulnerability reporter/finders, mention encouraging automation, vendors are going to need to coordinate disclosures - making sure all those stakeholders can work together using the existing standards
    • Amit: one thing that comes up next will be scoping, identifying owners and what is first is important
    • Questions: what was the exchange? Answer: Unknown. Wording changes suggested
    • Proposed changes for WG Goals (all on call agreed):
      • Identifying vulnerability disclosure pain points for OSS maintainers, consumers, and reporter/finders and take steps to address them through techniques liike automation and standardized data formats.
      • Documenting and promoting reasonable vulnerability disclosure and coordination practices within the OSS ecosystem for component maintainers and community members by providing documented standards and educational materials.
      • Facilitate the development and adoption of standards-based OSS Vulnerability information that uses existing industry formats. and allows OSS projects of all sizes to be able to report, share, and learn about vulnerabilities within OSS components.

Action items

  • @CRob to get an invite out to Art+team to come talk to us about VINCE
  • Propose changes for working group goals