Skip to main content

Driving Change Together: The OpenSSF Takes On VulnCon

By March 20, 2024March 22nd, 2024Blog
The OpenSSF Takes On VulnCon

By Madison Oliver, GitHub

The CVE and FIRST VulnCon 2024 and Annual CNA Summit is set to take place in Raleigh, North Carolina, next week! The OpenSSF is delighted to support this initiative and our cross-industry goals to sustainably make open source software safer.

About VulnCon 

VulnCon is a vulnerability management conference co-sponsored by the CVE Program and the Forum of Incident Response and Security Teams (FIRST) organizations. This conference seeks to assemble experts from across the numerous standards/frameworks groups, tools, and incident response teams related to the pursuit of identifying, classifying, remediating, and disclosure of vulnerabilities to the industry. VulnCon stands out from other cybersecurity conferences with its focus on product security incident response, coordinated vulnerability disclosure and vulnerability management. The goal of the conference is to understand what important stakeholders and programs are doing within the vulnerability management ecosystem and best determine how to benefit the ecosystem broadly. 

OpenSSF’s Engagement in Cybersecurity 

The Open Source Security Foundation (OpenSSF) seeks to make it easier to sustainably secure the development, maintenance, and consumption of the open source software (OSS) we all depend on. We work on this by fostering collaboration with fellow industry groups like the CVE Program and FIRST, establishing best practices like our recently released Principles for Package Repository Security guide, and developing innovative solutions like OpenVEX implementation and tooling. Cross-industry collaboration and knowledge sharing is crucial to properly address major challenges by fostering innovation, knowledge sharing, driving sustainable growth, and maximize the impacts of our collective efforts.

The OpenSSF is thrilled to have a notable presence at VulnCon! Eleven OpenSSF contributors presenting at the conference will discuss a variety of topics, from across our working groups, with significant representation from our Vulnerability Disclosures Working Group given the overlapping focus on improving the overall security of the open source software ecosystem by helping mature and advocate well-managed vulnerability reporting and communication. Our engagement in this event illustrates our commitment to community engagement and further supports our strategy to actively engage with the community and facilitate collaboration across industry stakeholders to sustainably address open source software security challenges effectively with transparent operations and governance.

Highlights of VulnCon agenda 

The VulnCon agenda includes three-days of action packed vulnerability management content! With the goal of accelerating collaboration within the vulnerability management and standards/frameworks space, the agenda includes 40+ sessions containing actionable advice on how to engage with coordinated vulnerability disclosure across ecosystem stakeholders and how to use and align the assorted vulnerability metadata tools, frameworks, and standards.

Some OpenSSF showcase sessions include:

  • An entire “Day of VEX” from practitioners, including OpenSSF contributors:
      • Democratizing Exploitability Data with OpenVEX by Adolfo Garcia Veytia (Stacklok, MX).
        • This session will discuss VEX, best practices for implementation, and how the industry can leverage some of the VEX tooling that our OpenVEX SIG has been developing!
      • Panel Discussion: Don’t be Vexed by VEX – VEXperts Panel by Adolfo Garcia Veytia (Stacklok, MX); Art Manion (ANALYGENCE Labs, US); Christopher Robinson (Intel, US); Justin Murphy (CISA, US); Rose Judge (SPDX, US); Steve Springett (OWASP, US).
        • This panel will cover everything you need to know about VEX from multiple different perspectives, and will include examples of various implementations and justifications for each approach.
      • CSAF/VEX: Improved Security Data by Martin Prpic (Red Hat, US).
        • This session will discuss both technical and non-technical aspects of vulnerability management aimed at the incident-response audience, including how CSAF and VEX data is used (and can be misused) within security development lifecycle practices from an OpenSSF contributor.
  • Expert panels on industry coordinated vulnerability disclosure, vulnerability identifiers, and vulnerability management best practices:
  • A Roadmap for Your OSS Security Lifecyle Journey to Protect Customers by Lisa Bradley, Sarah Evans (Dell, US).
    • This session will explore the essential components of a mature OSS security practice and provides a comprehensive guide on how businesses can enhance customer protection through effective OSS management, with special emphasis on the OpenSSF and its offerings to improve security practices in the OSS supply chain.

Get Involved

Are you passionate about driving innovation, solving complex security and open source challenges, and making a positive impact on society? Then we invite you to get involved in OpenSSF! We are committed to bringing together thought leaders, industry experts, and changemakers from diverse sectors to further our mission of making it easier to sustainably secure the development, maintenance, and consumption of the open source software (OSS) we all depend on. We look forward to seeing you in our next working group meeting!

About the Author

MadisonOliverMadison Oliver is a vulnerability transparency advocate and senior security manager at GitHub, leading the advisory database curation team. She is passionate about vulnerability reporting, response, and disclosure, and is the co-chair of the Open Source Security Foundation (OpenSSF) Vulnerability Disclosures Working Group and serves on the CVE Program Board.