Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Vulnerability disclosures WG meeting 10/5/2020 #51

Closed
MarcinHoppe opened this issue Sep 30, 2020 · 11 comments · Fixed by #68
Closed

Vulnerability disclosures WG meeting 10/5/2020 #51

MarcinHoppe opened this issue Sep 30, 2020 · 11 comments · Fixed by #68
Labels

Comments

@MarcinHoppe
Copy link
Contributor

MarcinHoppe commented Sep 30, 2020

Time

Monday October 5th, 2020 7:00 AM Pacific

Links

The invite is also available on the OpenSSF Community Calendar.

Agenda

Notes

@SecurityCRob
Copy link
Contributor

New Agenda Item - Martin Prpic from Red Hat Product Security to come talk about CSAF and other industry data format efforts

@SecurityCRob
Copy link
Contributor

SecurityCRob commented Oct 1, 2020

New Agenda Item - Consideration of CERT/CC's VINCE platform as a possible mechanism for vuln. info sharing - https://kb.cert.org/vince/
https://www.sei.cmu.edu/news-events/news/article.cfm?assetid=641759

If we'd like to hear more, we can invite Art Manion & crew to come talk to us

The FIRST PSIRT SIG is endorsing open sourcing VINCE and supporting this tool.
[edited to add additional URL for information]

@MarcinHoppe
Copy link
Contributor Author

@RedHatCRob I added this to the agenda for Monday if this is something you want to discuss with the WG.

@MarcinHoppe
Copy link
Contributor Author

I won't be able to attend the meeting today, but @RedHatCRob was kind enough to offer running the meeting today.

@SecurityCRob
Copy link
Contributor

OK, today the group discussed our desired goals for the WG and endorsed the following:

1.) Identifying vulnerability disclosure pain points for OSS maintainers, consumers, and reporter/finders and take steps to address them through techniques like automation and standardized data formats.

2.) Documenting and promoting reasonable vulnerability disclosure and coordination practices within the OSS ecosystem for component maintainers and community members by providing documented standards and educational materials.

3.) Facilitate the development and adoption of standards-based OSS Vulnerability information that uses existing industry formats. and allows OSS projects of all sizes to be able to report, share, and learn about vulnerabilities within OSS components.

@Foxboron
Copy link
Contributor

Foxboron commented Oct 5, 2020

Hm, was the meeting recorded? I realized afterwards it wasn't declared as such.

@SecurityCRob
Copy link
Contributor

Hm, was the meeting recorded? I realized afterwards it wasn't declared as such.

Arrg! Sorry all, I forgot to press the button. We did take notes in the gdoc (my hat is off to whomever paid such excellent attention & captured everything so well) - https://docs.google.com/document/d/1VAx4crIxhfHExTlUaGlcocYgB7pHfP2Eq8INYBZkqPM/edit?usp=sharing

@Foxboron
Copy link
Contributor

Foxboron commented Oct 5, 2020

No problem :) It might be a good idea to have that as a standard note in the agenda for future meetings so we don't forget.

@rimusz
Copy link
Contributor

rimusz commented Oct 5, 2020

No problem :) It might be a good idea to have that as a standard note in the agenda for future meetings so we don't forget.

+1

@NicoleSchwartz
Copy link
Contributor

NicoleSchwartz commented Oct 5, 2020 via email

@MarcinHoppe
Copy link
Contributor Author

MarcinHoppe commented Oct 6, 2020

Great notes! Thank you so much for taking them.

I will open a PR to store those notes here in this repo before we close this issue.

Foxboron added a commit to Foxboron/wg-vulnerability-disclosures that referenced this issue Oct 31, 2020
Fixes ossf#51

Signed-off-by: Morten Linderud <morten@linderud.pw>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging a pull request may close this issue.

5 participants