We Speak CVE

Coordinated Vulnerability Disclosure

December 30, 2022 CVE Program Episode 17
We Speak CVE
Coordinated Vulnerability Disclosure
Show Notes

Shannon Sabens of CrowdStrike chats with Madison Oliver of GitHub Security Lab about the recent release of OpenSSF’s “Guidance for Security Researchers to Coordinate Vulnerability Disclosures with Open Source Software Projects” document and the important step of obtaining a CVE ID in the coordinated vulnerability disclosure process for open-source vulnerabilities.

OpenSSF is a “cross-industry organization that brings together the industry’s most important open source security initiatives and the individuals and companies that support them.” The CVD Guide was released by OpenSSF’s Vulnerability Disclosure working group in September 2022, which in 2021 released its “Guide to Implementing a Coordinated Vulnerability Disclosure Process for Open Source Projects” document, both of which are discussed by Shannon and Madison. 

Other discussion topics in this episode include the importance of finders (e.g., security researchers, hackers, academics, bug bounty hunters, etc.) in vulnerability management, how finders can expedite their requests to software owners with quality information in their initial requests, OpenSSF’s vulnerability report template and how using it can help with requests, importance of obtaining a CVE ID for open source and all vulnerabilities, best practices for working with CVE Numbering Authorities (CNAs), managing expectations for turnaround times, the CVE Program’s CVE Record Dispute Policy, why all participants should remember that they are interacting with people in all aspects of the vulnerability management process, and more.

 LINKS:

OpenSSF CVD Guide – https://github.com/ossf/oss-vulnerability-guide/blob/main/finder-guide.md#readme

OpenSSF vulnerability report template – https://github.com/ossf/oss-vulnerability-guide/blob/main/templates/notifications/disclosure.md 

OpenSSF Implementing a CVD Process Guide – https://github.com/ossf/oss-vulnerability-guide/blob/main/maintainer-guide.md#readme 

CVE Record Dispute Policy – https://www.cve.org/Resources/General/Policies/CVE-Record-Dispute-Policy.pdf

CNAs – https://www.cve.org/ProgramOrganization/CNAs