As we unveiled the Golden Egg Award winners in April during the SOSS Community Day North America, we recognized those who go above and beyond in enriching our community. Today, we spotlight Christopher “CRob” Robinson, the winner of the Golden Egg Award for OpenSSF Community Engagement. CRob has made continuous impactful contributions as the chair of the Vulnerability Disclosure Working Group and the Technical Advisory Council (TAC), significantly contributing to the working group’s guides and presenting at industry conferences.
We had the opportunity to sit down with CRob and learn more about his journey, achievements, and insights. Here’s what he had to say.
Interview with Christopher “CRob” Robinson
Q1: Congratulations on winning the Golden Egg Award for OpenSSF Community Engagement! How does it feel for the community to recognize your contributions?
Answer: It is pretty amazing and humbling to be recognized by my peers within the community for this honor! To me, this really represents the culmination of the last 4+ years of us all collaborating together on helping move forward the OpenSSF’s mission of making open source software more secure.
Q2: Can you share a bit about your journey into the world of open source and community engagement? What sparked your initial interest?
Answer: It was interesting seeing the backstage orchestration as the foundation was being assembled with friends from across the industry forging what became the OpenSSF. My former boss, Mark Cox, had asked that I participate in several of the emerging working groups (Vulnerability Disclosures and OSS Developer Best Practices), as I had experience with ecosystem vulnerability coordination with our PSIRT and through a group called the Forum of Incident Response and Security Teams, and I was helping lay the foundations for our Secure Software Development Lifecycle program. So, these two groups were ready-made for us to jump straight in and start participating! It makes me proud to work with my peers from across the industry jumping in and providing leadership earned from our maturity and experiences in upstream open source. Now that we’re over four years in, we’ve seen waves of newcomers with new ideas jump in and contribute to uplifting the security of open source software for ALL users. I’m proud of what we’ve achieved so far and excited to see where we go next!
Q3: As the chair of the Vulnerability Disclosure Working Group and the TAC, what have been some of your most rewarding experiences?
Answer: I love it when we have new faces bringing new ideas. The look of excitement when newbies realize they’ve found a new family and friends that share so many commonalities and a desire to help. It is amazing when the groups pull together and create some new piece of work and then I can assist in getting those ideas released and amplified. It takes so many different skills, from technical to soft skills, to help us be successful in our mission, and to know that I had some small hand in helping orchestrate some valuable piece of work for the community makes me so very proud of the team.
Q4: You’ve contributed significantly to the guides published by the working group. Can you tell us about the process and the impact these guides have had on the community?
Answer: In order to be successful in deploying any new thing, you need to balance and blend people, process, and technology. I’m not a developer by training (although I’ve worked with devs for almost all of my entire career, helping them integrate security practices and tools), so I can’t directly assist with the “tech” aspect of writing code and whatnot, but I have an extensive background in policies and standards; security architecture; governance, risk, and compliance, and business process analysis. These are skills that can be missing in a lot of software projects, so that’s where I can help step in and add value to the team. The assorted guides that the foundation puts out are critical to helping to document and establish good security practices and norms for our community. Guidance such as our Coordinated Disclosure Guides help maintainers understand the complexities of vulnerability disclosure, but we have a guide focused on explaining how upstream handles security reports for security researchers so that, ideally, interactions between maintainers and researchers go more smoothly because each side understands the other’s goals, motivations, and practices. I’ve had several project maintainers cite the library of CVD materials that the Vulnerability Disclosure Working Group created as seminal to their security maturity journeys. These guides help clarify things that weren’t effectively documented before and help set the standard and expectations for the use of those tools going forward.
All of these guides start off with a group discussion or a member who has some seed materials to begin the collaboration on. The group will meet and iterate over the content until it feels it is ready to publish, at which time we’ll start to circulate more broadly to get outsiders’ perspectives on the documents. This helps us ensure that we’re meeting the reader where they are and providing value to them. After we review and react to that feedback, we’ll publish the document to assorted locations and start to raise awareness that this new guide or paper is available for public use. It is a very open source process that allows multiple levels of feedback from experts, laypeople, and end users.
Q5: The open source community thrives on collaboration and innovation. In your opinion, what are the key elements that foster a strong and engaged community?
Answer: Open source is a digital public good that benefits everyone. Most of the folks who come to our little part of the ecosystem *believe* that and are seeking other like-minded folks who are willing to donate their time for the greater benefit of the whole community. One of the key things that help us maintain our velocity is that positive attitude. Like our favorite goose mascot, Honk, we cheer each other on and celebrate our shared successes. The best way to foster diverse, inclusive participation is to provide that safe space where many different folks can work on ideas together and we can help each other deliver the best possible end product, whether that’s a piece of code, a groovy new guide, or even feedback to help a new person with their conference presentation sharing their wonderful new idea with the world. People who feel supported and are amongst like-minded individuals create better work at the end of the day.
Q6: What are some challenges you’ve faced in your role, and how have you overcome them?
Answer: How long do we have for this article? My list is very, *very* long “bwahahahaha” [laughs]. Seriously though, I observe several patterns that those of us fighting this good fight keep falling into. First, there are a lot of amazing ideas. We have no shortage of things we *could* do. We have a shortage of people with the time and skills needed to help *do* those things. Like the open source projects we are trying to assist, we suffer from a lack of time and resources. To paraphrase the words once uttered by a wise man: “When everything is important, nothing is.” This brings me to my second observation: We have limited resources and volunteer time/goodwill, and it is challenging to find the best way to prioritize and thread that needle to still be effective with what we have. My solution to both is to empower contributors to be stewards of their own destinies. If someone is passionate and energized, I try to respond with that same level and help them find others who want to collaborate on the same projects or goals and get them plugged into supporting resources. Helping foster those little communities and finding peers, collaborators, contributors, and maintainers is critical for us to help that pipeline of innovation and work together on our shared objectives.
Q7: Looking ahead, what are your goals for the Vulnerability Disclosure Working Group and the TAC?
Answer: For the Vulnerability Disclosure Working Group, we have a few things we’re working on that we’d like to deliver to the community this year. My personal goal with the group is to deliver the last installment of our “CVD Trilogy” and publish a Coordinated Disclosure Guide for OSS Consumers to go along with our existing Maintainers and Finders guides. This should provide the last piece of the puzzle of how to manage vulnerabilities and actions that all parties should take to ensure the best possible outcome for consumers when defects go public. As with all of our work, patches are *always* welcome!
Next, we helped with the OpenSSF TableTop Exercise earlier this year. We’d like to see that library of resources and templates grow so that open source projects or smaller organizations can benefit from that planning discipline before they are in a crisis. We participated in a workshop that the CISA sponsored earlier this year, and that was really eye-opening—how just a little planning and documentation can help other foundations and projects prepare for the inevitable day they find themselves involved in some cybersecurity incident. These learnings helped us with things such as the industry collaboration on getting the word out about the recent XZ-Utils attack and opened the doors to ideas such as our new SIREN project.
SIREN gives the community an outlet they never had before to share public information about actively exploited vulnerabilities. The last 25 years of upstream vulnerability management have predominantly been focused on pre-disclosure and public disclosure activities. This was and continues to be an amazing movement for the betterment of all open source consumers, but there really was no good forum for defenders to share and collaborate on. The old adage “if you see something, say something” totally applies here. Sharing is caring, and by using our open source model, I feel that SIREN can help arm defenders downstream with actionable things to look for or protect themselves with.
From a TAC perspective, this has been a great year in that we’ve really matured our processes and documentation. We are starting to see the benefits in increased velocity and smoother, more consistent organization today. I know that the TAC is hungry to start diving into some of the more technical aspects of our projects and initiatives now that a lot of the administrivia of the last several years has been completed. We’ve recently completed a second round of reviews, which allows us to help fund and empower our Technical Initiatives to achieve their goals. We’ve learned a lot through the cycle and have a few more improvements to make the whole request-and-approval process even better the next go-around.
Q8: How can others in the community contribute to the initiatives you are leading?
Answer: There are several things folks can do! First, show up to a call! Meet some of your new best open source friends! We have so many interesting things going on around open source security, supply chain, and AI that I imagine people will be like me and have a hard time picking just one thing to participate in. We have amazing resources: guides, webinars, podcasts, office hours, tools… Find something you like and get value out of, then share that with others. Spread the word. Like a good book or movie, share something new with someone new to grow the circle of our reach. There are so many ways people can benefit and give back to the open source ecosystem, spanning the super-technical to the nontechnical. Just listening to a project and giving your impressions and feedback is *so* valuable in helping make all of us successful.
Q9: Lastly, what advice would you give to someone who is passionate about open source and wants to make a meaningful impact?
Answer: I mentioned this a few weeks back in an episode of “What’s in the SOSS?” we recorded. If you have some topic that you find interesting, that sparks joy for you, grab on to that. Find others who share that spark, and partner with them to grow that idea so that it spreads like wildfire and inspires others. Give back to the ecosystem that has given so much to the world. With groups such as the OpenSSF, we have a real asymmetric effect in the impact we can have. With just a handful of motivated folks, we can make a difference and help change the world. We can help protect developers and help them protect the software they work so hard on. We can share with downstream how they can help and how to identify where they might want to invest some more time and effort to help manage their risks. It just takes attending one meeting—commenting on one issue—and you can begin a lifelong journey of helping others through open source.
Special Recognition
We also acknowledge Andres Freund, a partner software engineer at Microsoft and contributor to PostgreSQL. Andres, recognized as a “Golden Egg,” made a significant impact by identifying the XZ vulnerability and promptly alerting the open source community. His swift action helped prevent a potentially catastrophic breach in the open source software supply chain.
New Round of Golden Egg Award Nominations Now Opens
Congratulations again to CRob and Andres for their outstanding contributions! Their dedication and leadership inspire us all. A new round of Golden Egg Award Nominations now opens — be sure to participate and nominate those who make a difference in our community!