Shannon Sabens of CrowdStrike chats with Madison Oliver of GitHub Security Lab about the recent release of OpenSSF’s “Guidance for Security Researchers to Coordinate Vulnerability Disclosures with Open Source Software Projects” document and the important step of obtaining a CVE ID in the coordinated vulnerability disclosure process for open-source vulnerabilities.
OpenSSF is a “cross-industry organization that brings together the industry’s most important open source security initiatives and the individuals and companies that support them.” The CVD Guide was released by OpenSSF’s Vulnerability Disclosure working group in September 2022, which in 2021 released its “Guide to Implementing a Coordinated Vulnerability Disclosure Process for Open Source Projects” document, both of which are discussed by Shannon and Madison.
Other discussion topics in this episode include the importance of finders (e.g., security researchers, hackers, academics, bug bounty hunters, etc.) in vulnerability management, how finders can expedite their requests to software owners with quality information in their initial requests, OpenSSF’s vulnerability report template and how using it can help with requests, importance of obtaining a CVE ID for open source and all vulnerabilities, best practices for working with CVE Numbering Authorities (CNAs), managing expectations for turnaround times, the CVE Program’s CVE Record Dispute Policy, why all participants should remember that they are interacting with people in all aspects of the vulnerability management process, and more.
OpenSSF CVD Guide – https://github.com/ossf/oss-vulnerability-guide/blob/main/finder-guide.md#readme
OpenSSF vulnerability report template – https://github.com/ossf/oss-vulnerability-guide/blob/main/templates/notifications/disclosure.md
OpenSSF Implementing a CVD Process Guide – https://github.com/ossf/oss-vulnerability-guide/blob/main/maintainer-guide.md#readme
CVE Record Dispute Policy – https://www.cve.org/Resources/General/Policies/CVE-Record-Dispute-Policy.pdf