By Christopher “CRob” Robinson, Intel
This month, our spotlight is on the OpenSSF Vulnerability Disclosures Working Group. In this post, learn more about what this working group has been working on and how you can get involved.
The WG aims to improve open source security by developing and advocating well-managed vulnerability reporting and communication. We do so by documenting and supporting best vulnerability disclosure and coordination practices and help share information on vulnerability information. We have folks from all sides of the coordinated vulnerability disclosure landscape participating and are heavily engaged with the broader security ecosystem and core vulnerability standards.
Highlights of the Past Few Months
The group has been fairly active over the last several months, with several interesting milestones being hit across some of our projects:
We recently presented at Vancouver’s OSS NA conference, “Simplifying Coordinating Vulnerabilities & Disclosures in Open Source Projects.” In this popular talk, we covered core concepts of vulnerability disclosure and in-depth steps projects and maintainers can take to improve their current vulnerability reporting and remediation processes.
We’ve released two guides on this topic of Coordinated Vulnerability Disclosure (CVD): a guide for OSS maintainers and a guide for security researchers. We’ve also released other resources on our GitHub, including templates for the communication components of CVD and a runbook that gives a step-by-step list for the CVD process. The simple and practical advice from our CVD Guides has been useful not only to maintainers, but also security researchers, so much so that a follow-up document is planned this time focusing on how downstream consumers can get the most out of open source CVD.
We’re also helping create and support tools that assist in the documentation and communication of vulnerabilities that might impact open source code. The first project we’ll explore more in-depth is OSV – the Open Source Vulnerability Schema: “an open, precise, and distributed approach to producing and consuming vulnerability information for open source.” OSV is in use in many popular ecosystems like GitHub advisories, PyPI, Go, Maven, Rust, GSD, and others. It provides both human and machine-readable formats and is a truly open source collaborative way of sharing and consuming open source software vulnerabilities. Most recently R, Haskell, Curl, and Bitnami have adopted and are using OSV. The project is looking for opportunities to collaborate with other Linux Distros on top of Alpine and AlmaLinux, which have already adopted it. The team will be presenting “OSV and the Life of an Open Source Vulnerability” at the upcoming OSS EU OpenSSF Day on September 18.
Another spec and software project the group participates in is called OpenVEX. VEX stands for Vulnerability Exchange, and it is an open format used to share vulnerability data, and OpenVEX is a simple, open implementation of VEX documents. The OpenVEX SIG is a group dedicated to the transparent sharing of vulnerability data through open formats, like VEX, so that participants throughout the OSS supply chain better understand the impact of security vulnerabilities to the software and components they produce, depend upon, consume, and deliver. Members of the SIG have been very active in Cybersecurity and Infrastructure Security Agency (CISA)’s working group, who recently published their Minimum Elements of a VEX. Based on this, the project team plans several major updates to both the OpenVEX spec as well as the vexctl tooling to keep OpenVEX in line with the standard and provide flexibility for the future. The group is also presenting at the upcoming OpenSSF Day in Bilbao, Spain, reflecting back on the first 6 months of being an OpenSSF project!
New and Upcoming Initiatives
Another area the group is collaborating in is helping security researchers understand and better work with open source projects and maintainers. Beyond the aforementioned CVD guide, we have started a new SIG under our working group: the Autofix SIG. This group is dedicated to helping researchers report vulnerabilities to projects in an automated, repeatable fashion, and manage disclosure campaigns that could interact with dozens to hundreds of maintainers. They are working on a spec to help manage these automated campaigns.
We’re also gathering requirements through the OSS-SIRT SIG to help create a Security Incident Response Team, which would be a coordinated group of experts from across the industry who can help open source maintainers with remediating and disclosing high-impact security vulnerabilities. This goal is part of Stream 5 of the Open Source Software Security Mobilization Plan. Through this project, we’ll talk to a whole battery of upstream developers to see how a SIRT can help their projects. If upstream maintainers or projects have ideas for how they’d leverage a dedicated security team upstream, please let us know! We’d also love to have volunteers to help man this team, once it’s set up.
Get Involved
The group is highly involved with the ecosystem and with the standards and tools that help make vulnerability disclosure work. There are a multitude of ways to get involved in the community and have an impact on the industry! Each group collaborates together on Slack, GitHub, or our mailing list. The Full working group meets every two weeks, on Wednesdays at 11:00 AM ET / 8:00 AM PT, and meets monthly in an APC-friendly time to engage with our friends in Australia and other parts of the globe! All our meetings are open to the public and all are welcome to join us. See this page for a full schedule for meetings of our working groups and sub-groups. We hope you can get involved and help us secure the open source software ecosystem!
About the Author
Christopher “CRob” Robinson, OpenSSF TAC Chair & Director of Security Communications, Intel
Christopher Robinson (aka CRob) is the Director of Security Communications at Intel Product Assurance and Security. With 25 years of Enterprise-class engineering, architectural, operational and leadership experience, Chris has worked at several Fortune 500 companies with experience in the Financial, Medical, Legal, and Manufacturing verticals, and spent 6 years helping lead the Red Hat Product Security team as their Program Architect.