By Christopher “CRob” Robinson (Intel), Randall T. Vasquez (Gentoo), Francis Perron (Google), VM Brasseur (WiPro) and Vulnerability Disclosures Working Group
The open source software (OSS) ecosystem has a long history of collaboration on security vulnerabilities. From the earliest days of sharing reports and patches through mailing lists to today, with the near-instant notifications when a patch is submitted to a repository, open source developers have strived to work with the necessary people to fix and correct security defects quickly.
With the overwhelming majority of software used in clouds and enterprises being composed of free and open source software, this has inspired security researchers (aka “Finders”) to turn their research and tools to the open source ecosystem to find potentially hidden vulnerabilities lurking in OSS code. We are nearing a time where “enough eyeballs” are coming to gaze, making those unknown security bugs more shallow, but this has not come without friction. Finders, open source developers, and Maintainers don’t always see eyeball-to-eyeball on disclosures since these groups often come from very different perspectives and goals.
The OpenSSF’s Vulnerability Disclosure working group initially published a Guide to implementing a coordinated vulnerability disclosure process for open source projects in 2021. The guide was full of good practices and templates any OSS developer or project could leverage to make coordinating vulnerability disclosure more straightforward and frictionless. However, this only dealt with one side of the equation regarding reporting and fixing security vulnerabilities.
New CVD Guide for Finders
The Vulnerability Disclosures Working Group is proud to unveil the next evolution in improving open source coordination of vulnerability disclosures by crafting a new guide focused on the Security researcher or Finder persona.
The newly published Guidance for Security Researchers to Coordinate Vulnerability Disclosures with Open Source Software Projects provides valuable best practices on how Finders can best engage and work with the open source community on discovered vulnerabilities.
It offers a wealth of resources and templates that have been vetted by a global community of incident response experts and practitioners within the open source ecosystem. This new publication expects to help researchers better understand standard OSS practices, expectations, and how best to engage and set expectations in working within OSS communities.