Driving Change Together: The OpenSSF Takes On VulnCon

By Madison Oliver, GitHub

The CVE and FIRST VulnCon 2024 and Annual CNA Summit is set to take place in Raleigh, North Carolina, next week! The OpenSSF is delighted to support this initiative and our cross-industry goals to sustainably make open source software safer.

About VulnCon 

VulnCon is a vulnerability management conference co-sponsored by the CVE Program and the Forum of Incident Response and Security Teams (FIRST) organizations. This conference seeks to assemble experts from across the numerous standards/frameworks groups, tools, and incident response teams related to the pursuit of identifying, classifying, remediating, and disclosure of vulnerabilities to the industry. VulnCon stands out from other cybersecurity conferences with its focus on product security incident response, coordinated vulnerability disclosure and vulnerability management. The goal of the conference is to understand what important stakeholders and programs are doing within the vulnerability management ecosystem and best determine how to benefit the ecosystem broadly. 

OpenSSF’s Engagement in Cybersecurity 

The Open Source Security Foundation (OpenSSF) seeks to make it easier to sustainably secure the development, maintenance, and consumption of the open source software (OSS) we all depend on. We work on this by fostering collaboration with fellow industry groups like the CVE Program and FIRST, establishing best practices like our recently released Principles for Package Repository Security guide, and developing innovative solutions like OpenVEX implementation and tooling. Cross-industry collaboration and knowledge sharing is crucial to properly address major challenges by fostering innovation, knowledge sharing, driving sustainable growth, and maximize the impacts of our collective efforts.

The OpenSSF is thrilled to have a notable presence at VulnCon! Eleven OpenSSF contributors presenting at the conference will discuss a variety of topics, from across our working groups, with significant representation from our Vulnerability Disclosures Working Group given the overlapping focus on improving the overall security of the open source software ecosystem by helping mature and advocate well-managed vulnerability reporting and communication. Our engagement in this event illustrates our commitment to community engagement and further supports our strategy to actively engage with the community and facilitate collaboration across industry stakeholders to sustainably address open source software security challenges effectively with transparent operations and governance.

Highlights of VulnCon agenda 

The VulnCon agenda includes three-days of action packed vulnerability management content! With the goal of accelerating collaboration within the vulnerability management and standards/frameworks space, the agenda includes 40+ sessions containing actionable advice on how to engage with coordinated vulnerability disclosure across ecosystem stakeholders and how to use and align the assorted vulnerability metadata tools, frameworks, and standards.

Some OpenSSF showcase sessions include:

• An entire “Day of VEX” from practitioners, including OpenSSF contributors:

• • • Democratizing Exploitability Data with OpenVEX by Adolfo Garcia Veytia (Stacklok, MX).
      • This session will discuss VEX, best practices for implementation, and how the industry can leverage some of the VEX tooling that our OpenVEX SIG has been developing!
    • Panel Discussion: Don’t be Vexed by VEX – VEXperts Panel by Adolfo Garcia Veytia (Stacklok, MX); Art Manion (ANALYGENCE Labs, US); Christopher Robinson (Intel, US); Justin Murphy (CISA, US); Rose Judge (SPDX, US); Steve Springett (OWASP, US).
      • This panel will cover everything you need to know about VEX from multiple different perspectives, and will include examples of various implementations and justifications for each approach.
    • CSAF/VEX: Improved Security Data by Martin Prpic (Red Hat, US).
      • This session will discuss both technical and non-technical aspects of vulnerability management aimed at the incident-response audience, including how CSAF and VEX data is used (and can be misused) within security development lifecycle practices from an OpenSSF contributor.

• Expert panels on industry coordinated vulnerability disclosure, vulnerability identifiers, and vulnerability management best practices:

• • Crossing the Streams – How Downstream Can Understand Upstream Vulns by Christopher Robinson (Intel, US); Madison Oliver (GitHub, US).
    • This session will cover how upstream and downstream projects can work better together by crossing the streams when coordinating and managing vulnerabilities, including best practices, recommendations, and resources for open source maintainers and consumers from the chairs of our Vulnerability Disclosures WG.
  • The Trials and Tribulations of Bulk Converting CVEs to OSV by Andrew Pollock (Google Open Source Security Team, AU). 
    • This session will cover the transformation of massive amounts of vulnerability data to the Open Source Vulnerability (OSV) schema, a project supported by the OpenSSF!
  • Effective Vulnerability Management for Over 400 Projects at the Eclipse Foundation by Marta Rybczynska (Eclipse Foundation, FR); Michael Winser (Eclipse Foundation, US). 
    • This session will discuss how the Eclipse Foundation Security Team went from over 400 projects with ad hoc vulnerability management to creating a set of common practices and solutions to make every aspect of the process secure and effective at scale from two OpenSSF contributors.
  • Why Can’t We All Just Get Along? Bridging the Gap in Vulnerability Prioritization Standards by Yotam Perkal (Rezilion, IL).
    • This session will explore the common vulnerability standards and frameworks, including analyzing their relative impacts and advantages and disadvantages, and how these frameworks can be bridged and harmonized from an OpenSSF contributor.
  • Panel Discussion: This One Time at CVD Camp by Art Manion (ANALYGENCE Labs, US); Christopher Robinson (Intel, US); Deana O’Meara (NVIDIA, US); Madison Oliver (GitHub, US).
    • This panel will explore various coordinated vulnerability disclosure experiences and perspectives, what’s worked well and what hasn’t, and what steps we can take to overcome common barriers.

• A Roadmap for Your OSS Security Lifecyle Journey to Protect Customers by Lisa Bradley, Sarah Evans (Dell, US).
  • This session will explore the essential components of a mature OSS security practice and provides a comprehensive guide on how businesses can enhance customer protection through effective OSS management, with special emphasis on the OpenSSF and its offerings to improve security practices in the OSS supply chain.

Get Involved

Are you passionate about driving innovation, solving complex security and open source challenges, and making a positive impact on society? Then we invite you to get involved in OpenSSF! We are committed to bringing together thought leaders, industry experts, and changemakers from diverse sectors to further our mission of making it easier to sustainably secure the development, maintenance, and consumption of the open source software (OSS) we all depend on. We look forward to seeing you in our next working group meeting!

About the Author

Madison Oliver is a vulnerability transparency advocate and senior security manager at GitHub, leading the advisory database curation team. She is passionate about vulnerability reporting, response, and disclosure, and is the co-chair of the Open Source Security Foundation (OpenSSF) Vulnerability Disclosures Working Group and serves on the CVE Program Board.