The OpenSSF Vulnerability Disclosures Working Group seeks to help improve the overall security of the open source software ecosystem by helping mature and advocate well-managed vulnerability reporting and communication.

The OpenSSF Vulnerability Disclosures Working Group seeks to help improve the overall security of the open source software ecosystem by helping develop and advocate well-managed vulnerability reporting and communication. We plan on addressing this challenge through the following actions:

• Documenting and promoting reasonable vulnerability disclosure and coordination practices within the OSS ecosystem for component maintainers and community members by providing documented standards and educational materials.

• Identifying vulnerability disclosure pain points for OSS maintainer, consumers, and security researchers and take steps to address them.

• Facilitate the development and adoption of a standards-based OSS Vulnerability Exchange that uses existing industry formats and allows OSS projects of all sizes to be able to report, share, and learn about vulnerabilities within OSS components.

• Unified list of metadata for vulnerability reports and disclosures

We communicate on the Vulnerability Disclosure mailing list. Manage your subscriptions to Open SSF mailing lists.

The working group meets every two weeks, on Monday at 4:00 PM GMT / 8:00 AM PT. Currently we are using Zoom for working group meetings. The invite is available on the OpenSSF Community Calendar.

Contact Marcin if you wish to be added to the invite list.

Meeting agenda is published prior to the meeting in a GitHub issue with the label meeting. The issue contains agenda items and logistics details like date, time, Zoom link and a link to meeting notes document.

Meeting notes are in this repository

• Meeting Notes Template

• Leader: Marcin Hoppe (Auth0 / Node.js Ecosystem Security WG)
• Alex Mullans (GitHub)
• Nico Waisman (GitHub)
• Eva Sarafianou (Auth0)
• Crystal Hazen (HackerOne)
• Alex Rice (HackerOne)
• Eric Brewer (Google)
• Steve Dower (Microsoft/CPython)
• Hauwa Otori (GitHub)
• Lindsey Glovin (Uber)
• Sherif Mansour (OWASP)
• Martijn Russchen (HackerOne)
• Ben Willis (HackerOne)
• Reed Loden (HackerOne)
• Marcus Meissner (SUSE)
• Matthew Dressman (Microsoft)
• Morten Linderud (Arch Linux)
• Josh Bressers (Elastic)
• Gilles Gravier (Wipro)
• Jason Keirstead (IBM Security)
• Paulo Flabiano Smorigo (Ubuntu/Canonical)
• Rimas Mocevicius (JFrog security mitigation)
• Eduardo Barretto (Ubuntu/Canonical)
• CRob aka Christopher Robinson (Red Hat)
• Nicole Schwartz (GitLab)
• Martin Prpič (Red Hat)
• Rhys Arkins (WhiteSource)
• Matt Wilson (GitLab)
• Art Manion (CERT/CC)
• Josh Dembling (Intel)

We use the vulnerability-disclosures-wg GitHub team.

The CHARTER.md outlines the scope and governance of our group activities.