Vulnerability Disclosures Working Group
Mission
The OpenSSF Vulnerability Disclosures Working Group seeks to help improve the overall security of the open source software ecosystem by helping develop and advocate well-managed vulnerability reporting and communication. We serve open source maintainers and developers, assist security researchers, and help downstream open source software consumers.
Vision
A world where coordinated vulnerability disclosure is a normal, easy, and expected process that is supported by guidance, automation, and tooling for maintainers, consumers, researchers, and vendors, with the goal of making open source software and the open source software supply chain more secure for everyone.
A world where coordinated vulnerability disclosure is:
- a common, easy, and expected process
- supported by well-documented guidance, automation, and tooling for open source maintainers and consumers, security researchers, and vendors
- with the goal of making open source software and supply chains more secure for everyone.
Strategy
We plan on addressing this challenge through the following actions:
- Documenting and promoting reasonable vulnerability disclosure and coordination practices within the OSS ecosystem for component maintainers and community members by providing documented guidance and educational materials.
- Identifying vulnerability disclosure pain points and incentives for OSS maintainer, consumers, and security researchers and taking steps to address them.
- Facilitate the development and adoption of a standards-based OSS Vulnerability Exchange (VEX) that uses existing industry formats and allows OSS projects of all sizes to be able to report, share, and learn about vulnerabilities within OSS components.