Versions Compared

Old Version 3

changes.mady.by.user Ry Jones

Saved on

compared with

New Version Current

changes.mady.by.user Arun S M

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. To address:
    1. Key contact points from each of the project.
    2. Check if the reported issue is a vulnerability/CVE.
    3. What if the reporter is from within the project.
    4. Follow up with maintainers, what happened to the issue that was raised?
    5. Do not use mailing list as it is functional today.
  2. Suggestions:
    1. Establish a process for reporting CVEs.
    2. Make use of GitHub CVE reporting feature to auto notify dependent projects.
    3. Survey while feeding in new issues ~ justify.
      1. Do calculate the score - questionnaire based report is not sufficient.
      2. Notify the third party (outside the project with familiarity of the reported issue). Consider reporter given their research motives.
    4. Use HackerOne as proposed in Gaps between guidance and implementation for CSVD - increase participation. Ask GB to sponsor.
    5. Process for auditing reported issues.
    6. In case of reporter is a member of the project team, create a checklist for members to follow to create a trace that provides auditability of what was done.
  3. Gap in OpenSSF
    1. Goal: provide feedback to OpenSSF forso that their guidelines can be improved

Action items

  •  Review Checklist for members to follow while reporting vulnerabilities.
  •  Questionnaire to report vulnerability  ~ calculate CVE score.


Recordings

Attachments