The OSS-SIRT SIG (Open Source Software Security Incident Response Team Special Interest Group) is a group working within the OSSF's Vulnerability Disclosure Working Group that is focused on creating secure vulnerability management capabilities within the open source ecosystem to ensure effective coordinated vulnerability disclosure practices (CVD) for all. The group will be a coordinated group of experts from across the industry who will be available to help open source maintainers with all aspects of remediating high-impact security vulnerabilities and related security emergencies
Motivation
Historically, Open Source maintainers and end users have depended on a circle of trust to distribute and consume Open Source Software safely. Over the last several years, this concept has proven to be problematic and sub-optimal by itself with the increase of attacks targeting open source maintainers as well as the components they create and maintain. Effectively, these problems have illustrated additional effort and work are required to ensure that both Consumers and End Users of maintainers are consuming Open Source Software safely while still their needs met with the least friction to their overall intent and objective in maintaining their software. As it presently stands, this type of work traditionally is the responsibility of a project's Maintainer group; however, frequently, the Maintainer(s) already lack sufficient resources to address their own needs adequately let alone take on the additional work being asked of them to develop and provide their open source component in secure manner acceptable to anyone using it. Piling on more work to the already stressed pipeline and burdened maintainers often results in Security not being prioritized until a Security issue becomes forefront, which is often too late for a project's Consumers and End Users.
This SIRT's motivation is to make available the incident response resources to assist Open Source Software communities, downstream consumers, and vulnerability management ecosystems in addressing their current and upcoming Security issues, vulnerabilities, incidents, and the processes necessary for their execution. We intend to deliver service offerings to projects that provide an additional support arm against incidents, like log4shell, which are otherwise not available to these projects. We hope these efforts will assist in addressing critical and time-sensitive Security issues across the Open Source Software communities that participate in the program.
Objective
[What is to be achieved with this initiative]
[OKRs - OPTIONAL]
Scope
[What is in and out of scope] To develop a cohort of trustworthy, vendor-neutral, vetted, well-orchestrated and experienced group of security professionals
EXPRESSLY OUT OF SCOPE: ⊲ Anything involving vulnerabilities in closed-source/proprietary software ⊲ Security improvements to open-source software that are not tactically essential to the patching of newly-reported, high- and critical-impact vulnerabilities in open-source software ⊲ Helping projects or individual enterprises with remediating their own security exposures from another open-source project’s security vulnerabilities
Prior Work
The OpenSSF's Mobilization Plan - Stream 5
- List of prior and/or related projects
Get Involved
- Official communications occur on the OSSF OSS-SIRT Mailing list.
Manage your subscriptions to Open SSF mailing lists. - Slack Channels - stream-05-incident-response, wg_vulnerability-disclosures
Quick Start
- Areas that need contributions
- Build information if applicable
- Where to file issues - https://github.com/ossf/SIRT/issues
- Etc.
Meeting times
- Every Tuesday @ 9:00am EST The invite is available on the OpenSSF Community Calendar.
- Meeting Minutes are recorded in google docs.
Governance
[TODO: Update this link to your specific CHARTER.md file] The CHARTER.md outlines the scope and governance of our group activities.
- David A Wheeler, LF/OSSF
- Emily Fox, Apple, CNCF TOC
- [Eric Tice, WiPro]
- [Jennifer Mitchell, Tidelift]
- Madison Oliver, GitHub Security Lab
- [Marta Rybczynska, OSTC]
- Randall T. Vasquez, Gentoo
- Arnaud J Le Hors, IBM
- Art Manion, ANALYGENCE
- [Brian Behlendorf, Linux Foundation, OpenSSF]
- [Deana Shick, Intel]
- [Harimohan Rajamohanan, WiPro]
- [Jack K, ControlPlane/nixpkgs]
- [Josh Dembling, Intel]
- [Langley Rock, Dell]
- [Matt Rutkowski, IBM]
- [Yotam Perkal, Rezilion]