Skip to content

Latest commit

 

History

History
11144 lines (9136 loc) · 257 KB

2023 WG Meeting Notes.md

File metadata and controls

11144 lines (9136 loc) · 257 KB

OSSF Vulnerability Disclosures WG Notes - 2023

Notes for 2024:OpenSSF Vuln Disclosure WG Notes-2024

Notes for 2022:OpenSSF Vuln Disclosure WG Notes-2022

Resources:

Antitrust Policy Notice

Linux Foundation meetings involve participation by industry competitors, and it is the intention of the Linux Foundation to conduct all of its activities in accordance with applicable antitrust and competition laws. It is therefore extremely important that attendees adhere to meeting agendas, and be aware of, and not participate in, any activities that are prohibited under applicable US state, federal or foreign antitrust and competition laws.

Examples of types of actions that are prohibited at Linux Foundation meetings and in connection with Linux Foundation activities are described in the Linux Foundation Antitrust Policy available at http://www.linuxfoundation.org/antitrust-policy. If you have questions about these matters, please contact your company counsel, or if you are a member of the Linux Foundation, feel free to contact Andrew Updegrove of the firm of Gesmer Updegrove LLP, which provides legal counsel to the Linux Foundation.

All OpenSSF meeting participants must comply with the OpenSSF Code of Conduct:

https://openssf.org/community/code-of-conduct/

Upcoming Topics

Please add your agenda item, name and approximate time allocation to the bottom of the list.

Meetings

2023-12-13 Full WG

Attendees

(please Mark an “X” next to your name if you are here, or add-row name/email/affiliation if joining)

Name Email Affiliation Pronouns GH ID
x CRob [email protected] Intel/OSSF he/him SecurityCRob
x Madison Oliver [email protected] GitHub she/her taladrane
X Nathan Menhorn (AMD)
x Seth Larson [email protected] PSF he/him sethmlarson
x Edgars Vasiljevs [email protected] Independant he/him
X Jared Miller [email protected] SAP jdmcyber

Meeting Agenda

Opens

  • Seth Larson: Discussion on arbitrary code execution as a prerequisite for a vulnerability.
    • Noticing a trend in reports where the quality is low
      • I.e. magically run arbitrary run code before you can execute the actual attack
    • What could this group do to help mitigate this?
      • Resource to point to to help lower time spent on the defender/coder side
    • What does the group think?
      • Need to consider admin-like privs. So where does the line get drawn?
      • If there is no net gain in access, there is no vulnerability
      • They actively turn off the default security features
      • this sounds like a great idea for a discussion post type of conversation as opposed to a guide or blog (some of the other media methods we’ve done) 🤔 https://github.com/ossf/wg-vulnerability-disclosures/discussions
      • With a different hat on, there may be something about this in new CVE assignment rules
      • If you turn on security can you still perform the attack?
    • ( ) Seth to open up an issue in the Vuln. repo
  • Dick Brooks (REA) Presentation

Meeting Notes

  • Notes captured above

Sub-Projects

(leads, please enter updates to inform full group; highlight anything for larger group discussion)

OSS-SIRT SIG - [Plan](https://github.com/ossf/SIRT/tree/main/plan)
  • On hold, pending funding approval
CVD Guide for Consumers - Issue [115](#115)
  • Seeking contributors to work on document
Autofix - Issue [123](#123)

OpenVEX SIG

OSV Project

Meeting Notes:

2023-11-30 - APAC Call

Attendees

(please Mark an “X” next to your name if you are here, or add-row name/email/affiliation if joining)

Name Email Affiliation Pronouns GH ID
x CRob [email protected] Intel/OSSF he/him SecurityCRob
X Andrew Pollock [email protected] Google he/him andrewpollock
X Khahil White [email protected] LF he/him theheels
X Kyle Kelly [email protected] Semgrep/CramHacks he/him

Meeting Agenda

Opens

Meeting Notes

Sub-Projects

(leads, please enter updates to inform full group; highlight anything for larger group discussion)

OSS-SIRT SIG - [Plan](https://github.com/ossf/SIRT/tree/main/plan)
  • On hold, pending funding approval
CVD Guide for Consumers - Issue [115](#115)
  • Seeking contributors to work on document
Autofix - Issue [123](#123)

OpenVEX SIG

OSV Project

Meeting Notes:

2023-11-29 - Full WG

Attendees

(please Mark an “X” next to your name if you are here, or add-row name/email/affiliation if joining)

Name Email Affiliation Pronouns GH ID
X Nathan Menhorn (AMD)
x Nicole Schwartz [email protected] ActiveState she/her NicoleSchwartz/CircuitSwan
x Toddy Mladenov Microsoft he/him toddysm

Meeting Agenda

  • Who wants to help out and scribe for us today?
    • Nicole
  • New Friends intros
    • Adrianne Marcum - Open SSF
    • Jarad Miller - SAP
  • Opens
  • Updates from Sub-Projects

Opens

  • For everyone would couldn't make todays meeting we did a round of triage and could use some peoples time on the following is possible
  • Any final comments on mission/vision
  • Last nicole remembers we were all OK with (though we all had some tweaks on words but words are hard) the mission vision? Get your final comments in so that we can go forward!
  • #136
  • Could we decide to link out to all the existing work found vs do our own and finish up #95
  • There are a few if people get time over the holidays could be good small ones that just need a bit of dedicated time
  • comments/push forward #138
  • White paper #88
  • shorts/instagrammable #94
  • Would these be more relevant to the VEX SIG? #76
  • And #28

Meeting Notes

  • Nicole posted open issue in Slack (above) for MVSR with no comments back so it is officially accepted!! - Victory!
  • Not seeing anything new to triage
  • Does anyone want to submit a CFP for VulnCon (Slack thread as well)
    • Art is interested and open to collaborating
    • What is vuln con?
      • A bunch of orgs Co-Sponsored by FIRST and the CVE Program to discuss vuln and vuln mgmt ecosystem
      • Link in slack for CFP, closes January 31, 2024
      • https://www.first.org/conference/vulncon2024/
      • Trying to be inclusive as who are talking about it, avoid echo chambers

Sub-Projects

(leads, please enter updates to inform full group; highlight anything for larger group discussion)

OSS-SIRT SIG - [Plan](https://github.com/ossf/SIRT/tree/main/plan)
  • On hold, pending funding approval
CVD Guide for Consumers - Issue [115](#115)
  • Seeking contributors to work on document
Autofix - Issue [123](#123)
  • Still on hold

OpenVEX SIG

  • Art - nothing he can recall that is new to bring up here

OSV Project

  • [not present]

2023-11-15 - Full WG

Attendees

(please Mark an “X” next to your name if you are here, or add-row name/email/affiliation if joining)

Name Email Affiliation Pronouns GH ID
x Nicole Schwartz [email protected] ActiveState she/her NicoleSchwartz/CircuitSwan
x Khahil White [email protected] OpenSSF He/him theheels
X Chris de Almeida [email protected] IBM he/him ctcpip

Meeting Agenda

  • Who wants to help out and scribe for us today? - Nicole
  • New Friends intros
  • Opens
  • Updates from Sub-Projects

Opens

Meeting Notes

  • New Friends
    • Khahil White
    • Mohit Singh
  • Opens
    • Question - best practices on disclosure
    • Action Item status on putting the outgoing disclosure policy in-to github (it’s on website)
    • Should we add any notes for the marketing teams? (based on current email going on with my team) -
      • Using the word embargo should resonate with those teams
        • Perhaps ask maintiners to use word embargo in future
      • Best practice guide suggests getting blog into cve list with mitre
        • Where might be good to cross reference for findability
    • How does data loss and reporting relate to this process
      • Laws around breach (gdpr)
      • New sec rule being evaluated on certain disclosure timelines
      • We, this working group, are more related to data (vulnerability) best practices as opposed to data best practices (breach)
        • We do discuss data around configurations, metadata, etc
        • We discuss vulnerability data itself (specific data)
        • Feedback for the org itself about this is currently a missing coverage point
    • Vulncon CFP https://www.first.org/conference/vulncon2024/ - https://easychair.org/account/signin

Sub-Projects

(leads, please enter updates to inform full group; highlight anything for larger group discussion)

OSS-SIRT SIG - [Plan](https://github.com/ossf/SIRT/tree/main/plan)
  • On hold, pending funding approval
CVD Guide for Consumers - Issue [115](#115)
  • Seeking contributors to work on document
Autofix - Issue [123](#123)
  • Jonathan will try and re-ignite participation when he has the time to do so if no one else does first

OpenVEX SIG

  • No one here but they have Meetings on Monday - also APAC

OSV Project

Triage of open issues

Any final comments on mission/vision

Last nicole remembers we were all OK with (though we all had some tweaks on words but words are hard) the mission vision? Get your final comments in so that we can go forward!

#136

Could we decide to link out to all the existing work found vs do our own and finish up #95

There are a few if people get time over the holidays could be good small ones that just need a bit of dedicated time

comments/push forward #138

White paper #88

shorts/instagrammable #94

Would these be more relevant to the VEX SIG? #76

And #28

2023-11-01 - Full WG

Attendees

(please Mark an “X” next to your name if you are here, or add-row name/email/affiliation if joining)

Name Email Affiliation Pronouns GH ID
x CRob [email protected] Intel/OSSF he/him SecurityCRob
x Madison Oliver [email protected] GitHub she/her taladrane
X Nathan Menhorn (AMD)
x Art Manion [email protected] zmanion
x Nicole Schwartz [email protected] ActiveState she/her NicoleSchwartz/CircuitSwan
X Khahil White [email protected] OpenSSF he/him theheels
x Seth Larson [email protected] PSF he/him sethmlarson
X Greg Kroah-Hartman [email protected] Linux Foundation he/him gregkh
X Jared Miller [email protected] SAP jdmcyber
X Chris de Almeida [email protected] IBM he/him ctcpip
x Laurie Tyzenhaus [email protected] CERT/CC

Meeting Agenda

  • Who wants to help out and scribe for us today?

  • New Friends intros

    • Khahil White - Program Manager at LF/OSSF

  • Opens

    • Becoming a CNA doc: reaching out to marketing, got final reviews now that travel has cooled down.

  • Updates from Sub-Projects

    • Notes will be updated

  • Still seeking co-lead and/or backlog warden to help with the group

    • Khahil raising hand here

  • What to do with the “Autofix SIG”?

    • Anyone currently participating?
    • What do we want to do with this?
      • Maybe archiving this if not enough support
    • Guidelines seem useful and don’t want to lose the flow charts/diagrams/etc.
    • Spun off of the Alpha-Omega project
      • AO will not focus on the Omega tooling aspect in 2024
    • It’s all up to us now to keep this effort going

  • VulnCon update!

    • Save the date - March 25-27, 2024 in RDU NC, USA
    • Program committee starts meeting … TODAY! Look for CFP in November
      • Help for choosing content, theme, and other aspects for the meeting
    • Panel to discuss how CVD works?
    • More details to come
    • CRob to send out the link to the mailing list

  • Let’s keep working on the “Roadmap” part of our MVSR:

    Proposed Roadmap:

  • Evangelize artifacts and tooling from the group through podcasts, conference presentations, blogs, etc. for things like the CVD guides, OSV, & VEX

    • Podcasts
    • Blogs
    • Conferences
    • Open office hours to interact with Open Source project managers and help them.
      • Support industry-wide vuln coordination efforts with good practices identified by the OSS-SIRT SIG

  • Expand use of VEX by upstream projects through the advocacy and use of VEX and VEX-creation tools (such as OpenVEX). Issuance of VEX documents upstream helps the whole ecosystem understand what is needed and how to effectively execute, providing critical vuln affectedness data to downstream consumers so they can understand how to incorporate with other vuln info (CSAF, OSV, SBOM, etc).

  • increase awareness and use of CVD guides, techniques, and tools

  • Increase the awareness and use of OSV

  • Participate in forthcoming industry “VulnCon” and related conferences to share OSS vuln mgmt perspectives with broad PSIRT/CSIRT/CERT ecosystem

  • Provide guidance, documentation, and templates to the OpenSSF and the broader OSS community for use as security policies and vulnerability management processes (security.md, vuln disclosure policy, etc.)

  • NOTES/FEEDBACK

    • ( ) ALL work async and we can pick this topic up next time
    • We should be careful on promoting OpenVEX versus all of the other tools out there
    • New blog outlet - Evil Tux (developer and technical focused)
    • Office hours for coaching and guidance
    • VEX
      • OpenVEX does translation
      • Early stages and would be a good opportunity to find out the pros/cons of the tools. Maybe suggest other tools or enhancements.
    • CVD
      • CVD guide for consumers needs to be worked on. Probably ~Jan 2024
    • OSV
    • RFC: Becoming a CNA as an Open Source organization or project
    • VulnCon Involvement
      • Expand this? Yes!
    • Coord Efforts w/ OSSF-SIRT SIG
      • Maybe make this a sub-bullet under the top bullet as our list is quite long
    • Guidance Docs
      • Already have vuln doc but advertise this more
      • Expand upon this
      • Make this available both within OSSF and the broader community

Opens

Meeting Notes

Sub-Projects

(leads, please enter updates to inform full group; highlight anything for larger group discussion)

OSS-SIRT SIG - [Plan](https://github.com/ossf/SIRT/tree/main/plan)
  • On hold, pending funding approval
CVD Guide for Consumers - Issue [115](#115)
  • Seeking contributors to work on document
Autofix - Issue [123](#123)

OpenVEX SIG

OSV Project

Meeting Notes:

2023-10-18 - Full WG

Attendees

(please Mark an “X” next to your name if you are here, or add-row name/email/affiliation if joining)

Name Email Affiliation Pronouns GH ID
x CRob [email protected] Intel/OSSF he/him SecurityCRob
x Madison Oliver [email protected] GitHub she/her taladrane
x Jonathan Leitschuh [email protected] Independent He/Him Jlleitschuh
X Nathan Menhorn (AMD)
0.5x Art Manion [email protected] zmanion
X Nicole Schwartz [email protected] ActiveState she/her NicoleSchwartz/CircuitSwan
x Dick Brooks [email protected] REA rjb4standards
x Dana Wang [email protected] OpenSSF She/Her danajoyluck
x Toddy Mladenov
x Tobias Heldt [email protected] Cyberfame he/him
x Eric Hammersley Nutanix
x Victor Lu
x Senthil V Zeta He/Him
x Chris de Almeida [email protected] IBM he/him ctcpip
x Jared Miller [email protected] SAP
x Kyle [email protected] Semgrep
x Adrianne Marcum [email protected] LF OpenSSF she/her afmarcum
x Christof Walter [email protected] SAP he/him
x Janane Suresh

Meeting Agenda

  • Who wants to help out and scribe for us today?

  • New Friends intros

    • Toddy Mladenov (Microsoft)
    • Dana Wang (OpenSSF Architect)
    • Dick Brooks (Reliable Energy and Analytics (REA))
    • Jonathan - now independent
    • Tobias (Tobi) Heldt
    • Jared Miller (SAP)

  • Opens

    • No opens

  • Updates from Sub-Projects

    • No update

  • Is anyone interested in co-leading this group?

    • No need to answer today
    • ( ) CRob to send out a formal request to the mailing list later today
    • Jonathan in a few months but not today

  • Review MVSR for WG:

    Proposed Mission:

    The OpenSSF Vulnerability Disclosures Working Group seeks to help improve the overall security of the open source software ecosystem by helping develop and advocate well-managed vulnerability reporting and communication. We serve open source maintainers and developers, assist security researchers, and help downstream open source software consumers.

  • ( ) CRob will make updates on github if any

  • CISA has endorsed CSAF Security Advisories (profile 4) to report on affected software products from a new vulnerability. Will Security Advisories (CSAF profile 4) be addressed?

    • How overall artifacts fit in.
    • Talked about this over the years
    • CSAF is probably more appropriate for FIRST
    • We don’t have the authority the tell developers what to do but can advise
    • When to issue and advisory versus a VEX

    Proposed Vision:

    A world where coordinated vulnerability disclosure is a normal, easy, and expected process that is supported by guidance, automation, and tooling for maintainers, consumers, researchers, and vendors, with the goal of making open source software and the open source software supply chain more secure for everyone.

    A world where coordinated vulnerability disclosure is

  • a common, easy, and expected process

  • supported by well-documented guidance, automation, and tooling for open source maintainers and consumers, security researchers, and vendors

  • with the goal of making open source software and supply chains more secure for everyone.

  • Term coord vuln disc (CVD) coordinating around vendor timeline versus researcher timeline. Concerned about leaving vulns open for a long time.

    • Not necessarily supporting vendors but more of the open source community
    • Jonathan means vendors == open source maintainers

  • End of last sentence awkward: Can replace the end with just “more secure” versus “safer place”?

  • Supply chain encompasses SW from cradle to grave

    • Is supply chain defined somewhere to ensure we are talking about the same supply chain? The SIG is working on this.
    • Thinking about SLSA it’s focus is on the factory piece
    • S2C2F - enterprise consumption

  • Remove “mature” from vendors?

    • Removed

  • “And vendors” => for vendors

  • “Normal and expected”: In the EU it’s required but making it easy

  • Missed consumers

  • Regulators? But we do have “everyone” at the end

    • Avoid being too exhaustive could potentially even remove “vendors, …”
    • Could be a good idea to add in Regulators
    • Policy-makers more appropriate - although drop this

  • TODO: Specifically call out how policy makers, regulatory bodies etc can collaborate with us and be VERY clear be encourage them to leverage our work but our work is targeted at our primary users (vendors, researchers, maintainers)

  • Process that’s supported by processes

    • Documentation instead?
    • Mechanisms?
    • Procedures?
    • Plus automation to support the vision

    Proposed Strategy:

    We plan on addressing this challenge through the following actions:

  • Documenting and promoting reasonable vulnerability disclosure and coordination practices within the OSS ecosystem for component maintainers and community members by providing documented guidance and educational materials. \

  • Identifying vulnerability disclosure pain points and incentives for OSS maintainer, consumers, and security researchers and taking steps to address them. \

  • Facilitate the development and adoption of a standards-based OSS Vulnerability Exchange (VEX) that uses existing industry formats and allows OSS projects of all sizes to be able to report, share, and learn about vulnerabilities within OSS components.

  • NOTES/FEEDBACK

    • Guidance - more broad
    • This is high-level and doesn’t have the specifics like the section below

    Proposed Roadmap:

  • Evangelize artifacts and tooling from the group through podcasts, conference presentations, blogs, etc. for things like the CVD guides, OSV, OpenVEX, & autofix sig

    • Podcasts
    • Blogs
    • Conferences
    • Open office hours to interact with Open Source project managers and help them.

  • Expand use of VEX by upstream projects through the advocacy and use of VEX and VEX-creation tools (such as OpenVEX). Issuance of VEX documents upstream helps the whole ecosystem understand what is needed and how to effectively execute, providing critical vuln affectedness data to downstream consumers so they can understand how to incorporate with other vuln info (CSAF, OSV, SBOM, etc).

  • increase awareness and use of CVD guides, techniques, and tools

  • Increase the awareness and use of OSV

  • Participate in forthcoming industry “VulnCon” to share OSS vuln mgmt perspectives with broad PSIRT/CSIRT/CERT ecosystem

  • Support industry-wide vuln coordination efforts with good practices identified by the OSS-SIRT SIG

  • Provide guidance, documentation, and templates to the OpenSSF for use as security policies and vulnerability management processes (security.md, vuln disclosure policy, etc.)

  • Something something Autofix

    • Omega MVSR -> assist with extracting our goals from

  • NOTES/FEEDBACK

    • ( ) ALL work async and we can pick this topic up next time
    • We should be careful on promoting OpenVEX versus all of the other tools out there

Opens

  • above

Notes

  • above

2023-10-04 - Full WG

Notes

  • Zoom link not working?
    • 10/4: Nope :)

2023-09-29 - APAC Call

Attendees

(please Mark an “X” next to your name if you are here, or add-row name/email/affiliation if joining)

Name Email Affiliation Pronouns GH ID
X Madison Oliver [email protected] GitHub she/her taladrane
X Josh Buker [email protected] Cloud Security Alliance he/him joshbuker
X Seth Larson [email protected] PSF he/him sethmlarson
X Andrew Pollock [email protected] Google he/him andrewpollock

Meeting Agenda

  • Who wants to help out and scribe for us today?
  • New Friends intros
  • Opens
  • Updates from Sub-Projects
  • “Becoming a CNA as an Open Source Project / Org”
    • #139
    • Final rounds of review, reviewed by OSSF Vuln Disc WG, CNA Outreach+Community WG, CNA Coordinator WG.
    • What’s next?

Opens

Meeting Notes

  • #139
    • Happy with the current state of the document and ready to move it somewhere stable
    • What’s next?
      • Determine where we put this, how we link to it on OpenSSF’s site, and if we need to publish a blog post or any media about it > Seth is going to follow up with OpenSSF directly
      • Future evolution? - if these records could be converted to a CVE and then converted to OSV then we could try and create a more singular source of truth
        • CNA in a box? Using a GitHub Action?
        • Goal is to make changes to vulnerability data in a single place (like OSV), and if you’re both an OSV and CVE data source, it’ll update automatically in both places
    • FYI: CVE-2023-42467 is one of the CVEs currently crashing
      • gsutil cp gs://osv-test-cve-osv-conversion/osv-output/CVE-2023-39947.json /tmp
      • pipenv run python -m osv.analyze_tool --analyze_git=true --format=json /tmp/CVE-2023-39947.json
  • Cloud Security Alliance is putting together a vulnerability data working group focused on data quality and all of the issues surrounding that
    • Had first meeting to discuss this Wednesday, Sept 27, and current plan is to follow up on Slack and determine scope for this effort and future meeting times and plans
    • Want to get vul DBs, scanners, and community members together to discuss these problems specifically
    • First Meeting Notes
    • Slack invite: https://csaurl.org/csa-public-slack - #vuln-data channel

Sub-Projects

(leads, please enter updates to inform full group; highlight anything for larger group discussion)

OSS-SIRT SIG - [Plan](https://github.com/ossf/SIRT/tree/main/plan)
  • On hold, pending funding approval
CVD Guide for Consumers - Issue [115](#115)
  • Seeking contributors to work on document
Autofix - Issue [123](#123)
  • N/A

OpenVEX SIG

  • N/A

OSV Project

  • Will soon publish a NVD to CVE conversion to the database - reviewing CVEs, mapping the CPE data to repositories, then looking for commits in the repo to map to version ranges and create an OSV entry

2023-09-20 - Full WG

Attendees

(please Mark an “X” next to your name if you are here, or add-row name/email/affiliation if joining)

Name Email Affiliation Pronouns GH ID
CRob [email protected] Intel/OSSF he/him SecurityCRob
David A. Wheeler [email protected] Linux Foundation
Madison Oliver [email protected] GitHub she/her taladrane
Jennifer Mitchell [email protected] Tidelift
Jonathan Leitschuh [email protected] OpenSSF He/Him Jlleitschuh
Yesenia Yser [email protected] OpenSSF, Alpha-Omega cyberjiujiteira
Yotam Perkal (Rezilion)
Crystal Hazen (HackerOne)
Randall T. Vasquez [email protected] Gentoo he/him
Eric Hatleback (CERT/CC)
Kayla Underkoffler (HackerOne)
Francis Perron (Independent) u269c
Anne Bertucio (Google)
Nathan Menhorn (AMD)
Eric Tice (Wipro)
Andres Orbe [email protected] he/him AOrps
MegaZone (aka MZ) (F5, Inc.)
Art Manion [email protected] zmanion
Jay White Microsoft
Josh Buker [email protected] Cloud Security Alliance he/him joshbuker
Nicole Schwartz [email protected] ActiveState she/her NicoleSchwartz/CircuitSwan
Noah Spahn [email protected] The Open University noah-de
Ixchel Ruiz [email protected] JFrog she/her ixchelruiz

Meeting Agenda

Opens

Meeting Notes

Sub-Projects

(leads, please enter updates to inform full group; highlight anything for larger group discussion)

OSS-SIRT SIG - [Plan](https://github.com/ossf/SIRT/tree/main/plan)
  • On hold, pending funding approval
CVD Guide for Consumers - Issue [115](#115)
  • Seeking contributors to work on document
Autofix - Issue [123](#123)

OpenVEX SIG

OSV Project

Meeting Notes:

2023-09-06 - Autofix SIG

Attendees

(please Mark an “X” next to your name if you are here, or add-row name/email/affiliation if joining)

Name Email Affiliation Pronouns GH ID
X Jonathan Leitschuh [email protected] OpenSSF He/Him Jlleitschuh
X Yesenia Yser [email protected] OpenSSF, Alpha-Omega cyberjiujiteira
X Josh Buker [email protected] Cloud Security Alliance he/him joshbuker
X Munawar Hafiz [email protected]

Meeting Agenda

2023-09-06 - Full WG

Attendees

(please Mark an “X” next to your name if you are here, or add-row name/email/affiliation if joining)

Name Email Affiliation Pronouns GH ID
X David A. Wheeler [email protected] Linux Foundation
X Madison Oliver [email protected] GitHub she/her taladrane
X Jonathan Leitschuh [email protected] OpenSSF He/Him Jlleitschuh
X Yesenia Yser [email protected] OpenSSF, Alpha-Omega cyberjiujiteira
X Nathan Menhorn (AMD) nathan-menhorn
X Chris de Almeida [email protected] IBM he/him ctcpip
X Seth Larson [email protected] PSF he/him sethmlarson

Meeting Agenda

  • Who wants to help out and scribe for us today?
    • Thank you Nathan
  • New Friends intros
    • No new
  • Opens
  • Updates from Sub-Projects

Opens

  • OpenSSF EU - Cancel the meeting while the Open Source Summit is happening in Spain? September 20th for this WG
    • David, Jonathan in Spain
    • Madison not going and would be willing to run the meeting only if there will be people attending - currently only 2 people total
    • ( ) Action Jonathan - Ask attendance for this meeting in Slack or Email
  • David A. Wheeler: FYI, the LF policy on vulnerability disclosures to LF projects is in its final stages. Basically it says “report vulnerabilities directly to the project/foundation”. It also cites OpenSSF works (including this group). It turns out that most OpenSSF projects already tell people how to report vulnerabilities; David created some PRs to increase that coverage.
    • Work at the project directly and don’t work top down
    • ******** - this has been shared before with this group, just reminding everyone.
    • Wording is ready in word-press format, ready to be posted but going through LF Board for review

Meeting Notes

Sub-Projects

(leads, please enter updates to inform full group; highlight anything for larger group discussion)

OSS-SIRT SIG - [Plan](https://github.com/ossf/SIRT/tree/main/plan)
  • On hold, pending funding approval
CVD Guide for Consumers - Issue [115](#115) (Following along with our two existing CVD guides, what guidance can we share with open source consumers around OSS CVD, vuln mgmt, or resources they should get involved in on this topic?)
  • Seeking contributors to work on document
Autofix - Issue [123](#123)
    • Currently, opt-out is too heavy for developers and needs update but otherwise is this ready for TAC review
      • ( ) Action Jonathan - coordinate with CRob on getting this out
    • Reviewing High Priority Goals
      • Privately vuln reports on github are per repo so goal of seeing the issue related to all repos
      • Anything else to add?
        • It would be nice to get some form of quantitative feedback on the overall process. Opt-out would capture this reason versus the process didn’t work - see Row 86
        • Bucket to capture general areas but also an open form for providing feedback
        • Need feedback during and after
        • Capture both public and private feedback throughout the process
    • Concern of this hitting hundreds or thousands of repos in the event there is big pushback or an issue with the process itself
      • Rollout suggestions starting with 10 repos then 20, etc. and fine tuning the process
      • Suggestion on making maintainers aware of this automated process so this isn’t a surprise
    • Jonathan would like to minimize burnout
      • E.g. not having to manually type change logs 100s of times, etc. In others words, minimize the pressure of this tool due to timelines and other pieces of this tool
    • https://github.com/ossf/omega-moderne-client/tree/main/src/omega_moderne_client/campaign/campaigns
      • Messaging may need to change if this comes from a private PR
    • Another issue: can only specify disclosure report and ability to automate comments (Jonathan please check if this was captured correctly)
    • ( ) Action ALL - please review spreadsheet and provide any further comments
    • Defines needed behaviors to complete this work
    • Currently working on disclosure related user stories
    • Based upon this document
    • Goal - automate this policy

OpenVEX SIG

  • No updates

OSV Project

  • No updates

2023-08-31 - APAC Call

Attendees

(please Mark an “X” next to your name if you are here, or add-row name/email/affiliation if joining)

Name Email Affiliation Pronouns GH ID
X CRob [email protected] Intel/OSSF he/him SecurityCRob
X Madison Oliver [email protected] GitHub she/her taladrane
X Josh Buker [email protected] Cloud Security Alliance he/him joshbuker
X Seth Larson [email protected] PSF he/him sethmlarson

Meeting Agenda

Opens

  • Becoming a CNA as an Open Source Project guidance *

Meeting Notes

Sub-Projects

(leads, please enter updates to inform full group; highlight anything for larger group discussion)

OSS-SIRT SIG - [Plan](https://github.com/ossf/SIRT/tree/main/plan)
  • On hold, pending funding approval
CVD Guide for Consumers - Issue [115](#115)
  • Seeking contributors to work on document
Autofix - Issue [123](#123)

OpenVEX SIG

OSV Project

Meeting Notes:

2023-08-30 - Autofix SIG

Attendees

((please Mark an “X” next to your name if you are here, or add-row name/email/affiliation if joining)

Name Email Affiliation Pronouns GH ID
x Jonathan Leitschuh [email protected] OpenSSF He/Him Jlleitschuh
x Yesenia Yser [email protected] OpenSSF, Alpha-Omega cyberjiujiteira
x Tim te Beek [email protected] Moderne he/him timtebeek
x Jordan Harband [email protected] he/him LJHarb
x Aaron Blume [email protected] Alpha-Omega he/him aaronist

Meeting Agenda

  • New Friends intros *
  • Who wants to help out and scribe for us today?
  • Opens * *

2023-08-23 - Autofix SIG

Attendees

((please Mark an “X” next to your name if you are here, or add-row name/email/affiliation if joining)

Name Email Affiliation Pronouns GH ID
x Jonathan Leitschuh [email protected] OpenSSF He/Him Jlleitschuh
x Tim te Beek [email protected] Moderne he/him timtebeek
x Jordan Harband [email protected] he/him LJHarb
x Aaron Blume [email protected] Alpha-Omega he/him aaronist
x Michael Scovetta [email protected] Microsoft he/him scovetta
x Munawar Hafiz [email protected]

Specification:

Meeting Agenda

  • Who wants to help out and scribe for us today?
  • New Friends intros
  • Opens

Opens

Meeting Notes

  • [discussion about security insights spec]
  • [discussion about rationale for why not allow org/user-wide optout]
  • [discussion about a potential web UI with checkboxes for configuring the yml]
  • Scovetta -> Create a web form to generate security insights specs with minimal information, doesn’t need to be pretty, ensure it can be used to create opt outs:
    • Out Out => (true | false)
    • Why => (text) – drop-down selection + ‘other’

2023-08-23 - Full WG

Attendees

((please Mark an “X” next to your name if you are here, or add-row name/email/affiliation if joining)

Name Email Affiliation Pronouns GH ID
X David A. Wheeler [email protected] Linux Foundation
x Madison Oliver [email protected] GitHub she/her taladrane
X Jonathan Leitschuh [email protected] OpenSSF He/Him Jlleitschuh
x Olle E Johansson [email protected] Edvina he/him oej
X Nathan Menhorn (AMD)
X Ixchel Ruiz [email protected] JFrog she/her ixchelruiz
X Yesenia Yser [email protected] OpenSSF, Alpha-Omega cyberjiujiteira
X Chris de Almeida [email protected] IBM he/him ctcpip

Meeting Agenda

  • Who wants to help out and scribe for us today?
  • New Friends intros
  • Opens
  • Updates from Sub-Projects
  • “VulnCon” will be March 2024, APPROVED, Call for papers (CFP) will be forthcoming
  • WG Issue 36 - Work on WG MVSR
  • David A. Wheeler: I’ve developed a short page on vulnerability reporting to be put on the LF website soon. It basically says, “report vulnerabilities to the specific foundation/project”, so it’s not so much a “new policy” as “telling people who to talk to”. I had to remove some things to get it to something that was acceptable to post. Any brief last-minute thoughts?: https://docs.google.com/document/d/1FNoaBj8qH4RUlBB9gH8r4hUso5O1aPORVW7I35HQbAk/edit
    • I haven’t been able to get agreement on “Safe Harbor” or privacy text, and it’s been months. Let’s take the half-loaf, and we can try to add “safe harbor” & similar legal protections in a future version.
  • David: When will the vulnerability disclosures WG merge the approved OpenSSF policy on [outgoing] vulnerability disclosures? ossf/tac#149. I’d like to refer to it from the overall LF policy, but I have to have a URL for that :-).
    • It doesn’t have to be in this WG, I just thought that was the decision.
    • CRob & David will talk
    • David: Post-WG clarification, made AFTER the WG meeting because I realized the notes might be confusing: Just to be clear, ossf/tac#149 is only the OUTGOING vulnerability disclosure policy, which isn't what the LF-wide page is about. The Vulnerability disclosures WG has ALSO drafted an INCOMING vulnerability disclosure policy, that is, on how to report vulnerabilities to the OpenSSF (and how the OpenSSF should handle them). You can see the discussion & content of the INCOMING vulnerability disclosure policy here: <#128>. In fact, this LF-wide webpage is based on this work done by the Vulnerability Disclosures WG in issue 128, but with generalizations and dropping things we couldn’t get approved.

Opens

Meeting Notes

  • You can add items to the agenda prior to the call.

Sub-Projects

(leads, please enter updates to inform full group; highlight anything for larger group discussion)

OSS-SIRT SIG - [Plan](https://github.com/ossf/SIRT/tree/main/plan)
  • On hold, pending funding approval
  • Noted as part of our responses to assorted US.gov RFIs and other materials
CVD Guide for Consumers - Issue [115](#115)
  • Seeking contributors to work on document
  • Once Foundation MVSR and WG MVSRs are complete, CRob will start work on this. Contributors welcome.
Autofix - Issue [123](#123)
  • Request for comments on

OpenVEX SIG

OSV Project

Meeting Notes:

2023-08-16 - Autofix SIG

Attendees

((please Mark an “X” next to your name if you are here, or add-row name/email/affiliation if joining)

Name Email Affiliation Pronouns GH ID
X Jonathan Leitschuh [email protected] OpenSSF He/Him Jlleitschuh
X Yotam Perkal (Rezilion)
X Saumya Navani [email protected] OpenSSF he/him Saumyanavani
X Sully Martinez [email protected] OpenSFF she/her
X Tim te Beek [email protected] Moderne he/him timtebeek
X Aaron Blume [email protected] Alpha-Omega he/him aaronist

Meeting Agenda

  • Who wants to help out and scribe for us today?
  • New Friends intros
  • Opens
  • Updates from Sub-Projects

Opens

Meeting Notes

  • Semigrep - a collection of security vulnerability - detection + remediation
    • Additional automation we can integrate with
    • Larger collection than Jonathan’s
      • Diff and alert on repos
    • Con - no pull request capabilities
    • Aeva: who is the audience for this document? (should be added to the top)
    • Aeva: what is the status of this document? Is it ready for external view?
      • Needs to be reviewed by the TAC
    • Need feedback on
      • What methods to offer to maintainers for opt-out from future campaigns?
    • Reach out to Omkhar with specific questions on the process

Sub-Projects

(leads, please enter updates to inform full group; highlight anything for larger group discussion)

OSS-SIRT SIG - [Plan](https://github.com/ossf/SIRT/tree/main/plan)
  • On hold, pending funding approval
CVD Guide for Consumers - Issue [115](#115)
  • Seeking contributors to work on document
Autofix - Issue [123](#123)

OpenVEX SIG

OSV Project

Meeting Notes:

2023-08-02 - Autofix SIG

Attendees

(please Mark an “X” next to your name if you are here, or add-row name/email/affiliation if joining)

Name Email Affiliation Pronouns GH ID
x Jonathan Leitschuh* [email protected] Open Source Security Foundation - Alpha Omega he/him Jlleitschuh
x Munawar Hafiz [email protected] OpenRefactory
x Yesenia Yser [email protected] LF/A-O cyberjiujiteira
x Aaron Blume [email protected] Alpha-Omega he/him aaronist
x Sully Martinez [email protected] Alpha-Omega She/Her
x Tim te Beek [email protected] Moderne he/him timtebeek

Meeting Agenda

  • New Friends intros
    • Tim te Beek
    • Raquel Pau Fernandez

2023-07-27 - APAC Call

Attendees

((please Mark an “X” next to your name if you are here, or add-row name/email/affiliation if joining)

Name Email Affiliation Pronouns GH ID
x CRob [email protected] Intel/OSSF he/him SecurityCRob
x Seth Larson [email protected] PSF he/him sethmlarson
X Andrew Pollock [email protected] Google he/him andrewpollock

Has the meeting started? 🦆🦆🦆🦆

Meeting Agenda

Opens

Meeting Notes

Sub-Projects

(leads, please enter updates to inform full group; highlight anything for larger group discussion)

OSS-SIRT SIG - [Plan](https://github.com/ossf/SIRT/tree/main/plan)
CVD Guide for Consumers - Issue [115](#115)
Autofix - Issue [123](#123)

OpenVEX SIG

OSV Project

Meeting Notes:

2023-07-26 - Full WG

Attendees

((please Mark an “X” next to your name if you are here, or add-row name/email/affiliation if joining)

Name Email Affiliation Pronouns GH ID
X Madison Oliver [email protected] GitHub she/her taladrane
X Jennifer Mitchell [email protected] Tidelift
X Nathan Menhorn [email protected] (AMD) nathan-menhorn
X Art Manion [email protected] zmanion
X Nicole Schwartz [email protected] ActiveState she/her NicoleSchwartz/CircuitSwan
X Ixchel Ruiz [email protected] JFrog she/her ixchelruiz
X Chris de Almeida [email protected] IBM he/him ctcpip
x Seth Larson [email protected] PSF he/him sethmlarson

Meeting Agenda

Opens

  • CRob not able to attend today 😞

Meeting Notes

Sub-Projects

(leads, please enter updates to inform full group; highlight anything for larger group discussion)

OSS-SIRT SIG - [Plan](https://github.com/ossf/SIRT/tree/main/plan)
  • On hold, pending funding approval
    • No activity - stalled until approval is received
CVD Guide for Consumers - Issue [115](#115)
  • Seeking contributors to work on document
    • Thanks to those who have provided feedback so far 🎉
  • Hopefully we can get some feedback from the community during hacker summer camp on the guide and ideas for what to include
  • About 4-5 people have provided feedback on this document
  • No hard deadline for this document yet but thinking after the Hacker Summer camp
Autofix - Issue [123](#123)
  • No updates

OpenVEX SIG

OSV Project

2023-07-12 - Autofix SIG

Attendees

(please Mark an “X” next to your name if you are here, or add-row name/email/affiliation if joining)

Name Email Affiliation Pronouns GH ID
x Jonathan Leitschuh* [email protected] Open Source Security Foundation - Alpha Omega he/him Jlleitschuh
x Yesenia Yser [email protected] LF/A-O cyberjiujiteira
x Brian Russell [email protected] Google he/him brianrussell2
x Aaron Blume [email protected] Alpha-Omega he/him aaronist
x Saumya Navani [email protected] Alpha-Omega he/him Saumyanavani
x Sully Martinez [email protected] Alpha-Omega She/Her

Meeting Agenda

  • New Friends intros
    • Tim te Beek
    • Raquel Pau Fernandez

2023-07-12 - Full WG

Attendees

((please Mark an “X” next to your name if you are here, or add-row name/email/affiliation if joining)

Name Email Affiliation Pronouns GH ID
x CRob [email protected] Intel/OSSF he/him SecurityCRob
x Yesenia Yser [email protected] OpenSSF, Alpha-omega cyberjiujiteira
x Jonathan Leitschuh [email protected] OpenSSF He/Him Jlleitschuh
X Brian Russell [email protected] Google he/him brianrussell2
X Nathan Menhorn [email protected] (AMD) nathan-menhorn
x Nicole Schwartz [email protected] ActiveState she/her NicoleSchwartz/CircuitSwan
x Hart Montgomery [email protected] LF he/him hartm
x Marcus Meissner [email protected] suse he/him
X Chris de Almeida [email protected] IBM he/him ctcpip
x Saumya Navani [email protected] Alpha-Omega he/him Saumyanavani
x Tim te Beek [email protected] Moderne he/him timtebeek
x Raquel Pau [email protected] Moderne she/her rpau

Meeting Agenda

  • Who wants to help out and scribe for us today?
  • New Friends intros
  • Opens
  • Updates from Sub-Projects

Opens

Meeting Notes

  • Auto Fix Campaign - Notes under Autofix SIG below
  • CVE Schema Issue
    • The XML schema is vulnerable to an external entity (reference)
    • Can this feature be made opt-in by default?
    • Jonathan brought this up through channels but no traction so Art may bring this up again in order to get this resolved and also possibly assign its own CVE
    • CRob suggesting to capture this as a discussion topic for the xxx conference
  • SIG looing to find orgs to fund pen testing for major projects; A-O may provide resources and shows interest

Sub-Projects

(leads, please enter updates to inform full group; highlight anything for larger group discussion)

OSS-SIRT SIG - [Plan](https://github.com/ossf/SIRT/tree/main/plan)
  • Presentation to GB being prepared; plan still under review
CVD Guide for Consumers - Issue [115](#115)
  • Seeking contributors to work on document
Autofix SIG - Issue [123](#123)

OpenVEX SIG

  • Adopted as SIG under WG. Waiting on Legal review/ip transfer.
  • Working on git repo and establishing regular calls

OSV Project

Meeting Notes:

2023-07-05 - Autofix SIG

Attendees

(please Mark an “X” next to your name if you are here, or add-row name/email/affiliation if joining)

Name Email Affiliation Pronouns GH ID
x Jonathan Leitschuh* [email protected] Open Source Security Foundation - Alpha Omega he/him Jlleitschuh
x Yesenia Yser [email protected] LF/A-O cyberjiujiteira
x Josh Buker [email protected] Cloud Security Alliance he/him joshbuker
x Aaron Blume [email protected] Alpha-Omega he/him aaronist

Meeting Agenda

  • New Friends intros

2023-06-29 - APAC Call

Attendees

(please Mark an “X” next to your name if you are here, or add-row name/email/affiliation if joining)

Name Email Affiliation Pronouns GH ID
x CRob [email protected] Intel/OSSF he/him SecurityCRob
X Madison Oliver [email protected] GitHub she/her taladrane
x Aaron Blume [email protected] Alpha-Omega he/him aaronist
x Oliver Chang [email protected] Google he/him oliverchang
X Andrew Pollock [email protected] Google he/him andrewpollock

Meeting Agenda

Opens

2023-06-28 - Autofix SIG

Attendees

(please Mark an “X” next to your name if you are here, or add-row name/email/affiliation if joining)

Name Email Affiliation Pronouns GH ID
x Jonathan Leitschuh* [email protected] Open Source Security Foundation - Alpha Omega he/him Jlleitschuh
x Munawar Hafiz [email protected] OpenRefactory
x Yotam Perkal [email protected] Rezilion he/him pyotam
x Andres Orbe [email protected] (Alpha-Omega) he/him AOrps
x Yotam Perkal [email protected] Rezilion he/him pyotam
x Aaron Blume [email protected] Alpha-Omega he/him aaronist
x Saumya Navani [email protected] Alpha-Omega he/him Saumyanavani
x Sully Martinez [email protected] Alpha-Omega She/Her

Meeting Agenda

  • New Friends intros

2023-06-28 - Full WG

Attendees

(please Mark an “X” next to your name if you are here, or add-row name/email/affiliation if joining)

Name Email Affiliation Pronouns GH ID
X CRob [email protected] Intel/OSSF he/him SecurityCRob
X Madison Oliver [email protected] GitHub she/her taladrane
x Jonathan Leitschuh [email protected] OpenSSF He/Him Jlleitschuh
x Yesenia Yser [email protected] LF/A-O cyberjiujiteira
x Andres Orbe [email protected] (Alpha-Omega) he/him AOrps
X Jay White Microsoft
x Trevor Dunlap [email protected] Chainguard he/him tdunlap607
X Jason Keirstead [email protected] IBM/? he JasonKeirstead
X Chris de Almeida [email protected] IBM he/him ctcpip
x Arun S M [email protected] Walmart he/him arsulegai
x Hart Montgomery [email protected] Linux Foundation he/him hartm

Meeting Agenda

  • Who wants to help out and scribe for us today?
  • New Friends intros
  • Opens
  • Updates from Sub-Projects
    • Autofix disclosure - continuous conversation on the Autofix vulnerability disclosure (flow and state diagram + standards doc)
    • Ongoing conversation with Github to discuss private folks into pvr (complication around custom fork names)
  • https://vexsummit.org/
    • Cisco-hosted “show and tell”; looking for demos
  • “VulnCon”
  • NVD consortium participation interest?
    • Look for Federal Register notice
    • We could influence NVD to be more OSS friendly
    • Register notice will be sent out by Crob in the upcoming days via slack
  • TC39-TG3 [Chris de Almeida]
    • Standards body for javascript - Task Group 3 (release blog for context)
    • Scope of work - all things related to security in javascript
      • Secure programs written in javascript
    • No meetings since 2021
    • Chairs will be voted into the upcoming weeks
    • Task/focus
      • Vulnerability Disclosure - when they appear in program lang or new proposals or node
      • No policy for right now
    • Interested - Madison,
    • Connection to the node group
    • Chat with CRob, David wheeler, as well as best practice groups - materials for their contributors and maintainers

Opens

  • Challenging the CVE system - Java’s XXE Drama - Jonathan
    • Story -> old vulnerability (well doc/understood). Access to resources in file system, as well as external resources
    • Built into the java standard library -
      • Oracle -> no CVE; no security vulnerability, but a bug to fix via the jve process; been a yr no contact on issue
      • M&tre -> reached out for a CVE number; CVE team in agreement with Oracle – been the root of many CVE
    • Suggestions
      • -> leverage VulnCon or similar to have a bird of feather and discussion around 2023 security best practices to guide legacy designs.
      • -> influence a culture change
      • Whats the purpose of CVE… why create a CVE if it’d never be fixed. Will require configuration changes in code (java 2.0)
      • CVE identifies a “vulnerability” not a fix
  • Call for feedback on the Hyperledger vulnerability template

Meeting Notes

Sub-Projects

(leads, please enter updates to inform full group; highlight anything for larger group discussion)

OSS-SIRT SIG - [Plan](https://github.com/ossf/SIRT/tree/main/plan)
  • Presentation to GB being prepared; plan still under review
CVD Guide for Consumers - Issue [115](#115)
  • Seeking contributors to work on document
CVE Autofix - Issue [123](#123)

OpenVEX SIG

  • Adopted as SIG under WG. Waiting on Legal review/ip transfer.
  • Working on git repo and establishing regular calls

OSV Project

Meeting Notes:

2023/06/21 - Autofix SIG

Attendees

(please Mark your name is black if you are here, or add-row name/email/affiliation if joining)

Name Email Affiliation Pronouns GH ID
CRob [email protected] Intel/OSSF he/him SecurityCRob
Jonathan Leitschuh* [email protected] Open Source Security Foundation - Alpha Omega he/him Jlleitschuh
Munawar Hafiz [email protected] OpenRefactory
Yesenia Yser [email protected] LF/A-O cyberjiujiteira
Josh Buker [email protected] Cloud Security Alliance he/him joshbuker
Yotam Perkal [email protected] Rezilion he/him pyotam
Jordan Harband [email protected] OpenSSF he/him ljharb
Aaron Blume [email protected] Alpha-Omega he/him aaronist
Saumya Navani [email protected] Alpha-Omega he/him Saumyanavani
Glenda Garcia [email protected] Alpha-Omega glenda1015
Sully Martinez [email protected] Alpha-Omega She/Her

Meeting Agenda

2023/06/14 - Autofix SIG

Attendees

(please Mark your name is black if you are here, or add-row name/email/affiliation if joining)

Name Email Affiliation Pronouns GH ID
CRob [email protected] Intel/OSSF he/him SecurityCRob
Jonathan Leitschuh* [email protected] Open Source Security Foundation - Alpha Omega he/him Jlleitschuh
Munawar Hafiz [email protected] OpenRefactory
Yesenia Yser [email protected] LF/A-O cyberjiujiteira
Yotam Perkal [email protected] Rezilion he/him pyotam
Andres Orbe [email protected] Alpha-Omega he/him AOrps
Aaron Blume [email protected] Alpha-Omega he/him aaronist
Saumya Navani [email protected] Alpha-Omega he/him Saumyanavani

Meeting Agenda

2023-06-14 - Full WG

Attendees

(please Mark your name is black if you are here, or add-row name/email/affiliation if joining)

Name Email Affiliation Pronouns GH ID
CRob [email protected] Intel/OSSF he/him SecurityCRob
Madison Oliver [email protected] GitHub she/her taladrane
Jonathan Leitschuh [email protected] OpenSSF He/Him Jlleitschuh
Yesenia Yser [email protected] OpenSSF cyberjiujiteira
Andres Orbe [email protected] Alpha-Omega he/him AOrps
Nicole Schwartz [email protected] ActiveState she/her NicoleSchwartz/CircuitSwan
Josh Clements [email protected] ADI he/him joshclements-adi
Hart Montgomery [email protected] Linux Foundation (HLF, OWF) he/him hartm
Aaron Blume [email protected] Alpha-Omega he/him aaronist
Chris de Almeida [email protected] IBM he/him ctcpip
Arun S M [email protected] Walmart he/him arsulegai

Meeting Agenda

Opens

  • Clarifying a line or two in
    • “90 days after the Notice Date”
    • Possibly insert a diagram for timeline
    • List of parties, maintainers, and researchers is correct
      • Edit: “All parties involved, including but not limited to maintainers and researchers”
    • Keep vagueness of “conflict” for flexibility in policy
      • Idea > we might want to address what “conflicts” can arise in CVD in our other guides
    • Jonathan is doing to deploy the updated policy to the necessary parties.
    • ossf/tac#149
  • Hart: open call for feedback on the Hyperledger’s proposed vulnerability disclosure guidance from WG members *
    • The work that David Wheeler is doing to develop a broader security policy for the Linux Foundation may be useful to either reference here or ensure is aligned with their proposal at least
    • Hyperledger is just software
    • Safe Harbor Policy might be a good idea
    • #128 Vulnerability Reporting Policy
    • Goal is to create a template for a vulnerability disclosure policy, that is flexible for individual projects.
  • [Yser] A-O Omega Toolchain Summer Engineering Software Requirement Document *
    • Action: Feedback and input for the mentees
  • Who is responsible for disclosure-check?
  • FYI: Nicole Schwartz submitting to BSides edmonton (CFP is open) anyone else in edmonton and would want to co present? (or submit a competing cfp sure!)

Meeting Notes

Sub-Projects

(leads, please enter updates to inform full group; highlight anything for larger group discussion)

OSS-SIRT SIG - [Plan](https://github.com/ossf/SIRT/tree/main/plan)
  • Presentation to GB being prepared; plan still under review
CVD Guide for Consumers - Issue [115](#115)
  • Seeking contributors to work on document
CVE Autofix - Issue [123](#123)

OpenVEX SIG

OSV Project

Meeting Notes:

2023/06/07 - Autofix SIG

Attendees

(please Mark your name is black if you are here, or add-row name/email/affiliation if joining)

Name Email Affiliation Pronouns GH ID
CRob [email protected] Intel/OSSF he/him SecurityCRob
Jonathan Leitschuh* [email protected] Open Source Security Foundation - Alpha Omega he/him Jlleitschuh
Yesenia Yser [email protected] LF/A-O cyberjiujiteira
Kris Borchers [email protected] Independent he/him kborchers
Brian Russell [email protected] Google he/him brianrussell2
Aaron Blume [email protected] Alpha-Omega he/him aaronist
Brian Behlendorf [email protected] LF/OpenSSF he/him brianbehlendorf

Meeting Agenda

2023/05/31 - Autofix SIG

Attendees

(please Mark your name is black if you are here, or add-row name/email/affiliation if joining)

Name Email Affiliation Pronouns GH ID
Jonathan Leitschuh* [email protected] Open Source Security Foundation - Alpha Omega he/him Jlleitschuh
Munawar Hafiz [email protected] OpenRefactory
Jordan Harband [email protected] OpenSSF he/him ljharb
Kris Borchers [email protected] Independent he/him kborchers

Meeting Agenda

  • New Friends intros
  • Visit the Lucid chart in development describing vulnerability disclosure workflow.
    • Jordan: The code generator may generate many fixes for non-statically typed language that require human intervention. The flow specified should only be used for cases where there is some assurance that the false positive rate is going to be very low. Jonathan added a new decision node to address this.

2023-05-31 - Full WG

Attendees

(please Mark your name is black if you are here, or add-row name/email/affiliation if joining)

Name Email Affiliation Pronouns GH ID
CRob [email protected] Intel/OSSF he/him SecurityCRob
Madison Oliver [email protected] GitHub she/her taladrane
Jennifer Mitchell [email protected] Tidelift
Jonathan Leitschuh [email protected] OpenSSF He/Him Jlleitschuh
Yesenia Yser [email protected] OpenSSF cyberjiujiteira
Yotam Perkal [email protected] (Rezilion)
Nathan Menhorn (AMD)
Art Manion [email protected] zmanion
Ixchel Ruiz [email protected] JFrog she/her ixchelruiz
Chris de Almeida [email protected] IBM he/him ctcpip
Jay White [email protected] Microsoft he/him camaleon2016
Kris Borchers [email protected] Independent he/him kborchers
Munawar Hafiz [email protected] OpenRefactory he/him

Meeting Agenda

  • Who wants to help out and scribe for us today?
    • Yesenia
  • New Friends intros *
  • Opens *
  • Updates from Sub-Projects

Opens

Meeting Notes

Sub-Projects

(leads, please enter updates to inform full group; highlight anything for larger group discussion)

OSS-SIRT SIG - [Plan](https://github.com/ossf/SIRT/tree/main/plan)
  • Presentation to GB being prepared; plan still under review
  • [Art] Meetings are paused. Proposal in review, pending direction from governing board. Madison +1 (see SIG notes below for more details)
    • Art checked with Crob, status is indeed “in the hands of the GB (and/or Exec Dir)”
CVD Guide for Consumers - Issue [115](#115)
  • Seeking contributors to work on document
CVE Autofix - Issue [123](#123)

OpenVEX SIG

  • Adopted as SIG under WG. Waiting on Legal review/ip transfer.
  • Working on git repo and establishing regular calls
  • Meetings are now bi-weekly on Mondays at 3:00 PM

OSV Project

  • Oliver and Rus are APAC

2023-05-25 - APAC Call

Attendees

(please Mark your name is black if you are here, or add-row name/email/affiliation if joining)

Name Email Affiliation Pronouns GH ID
CRob [email protected] Intel/OSSF he/him SecurityCRob
Madison Oliver [email protected] GitHub she/her taladrane
Jonathan Leitschuh [email protected] OpenSSF He/Him Jlleitschuh
Michael Scovetta [email protected] Microsoft he/him scovetta
Jeffrey Borek [email protected] IBM he/him

Meeting Agenda

  • Who wants to help out and scribe for us today?
  • New Friends intros
  • Opens
  • Updates from Sub-Projects

Opens

  • The Great Repository Audit
  • Related: NVD worries (OEJ)
  • Disclosure Check needs a home & maintainer!

Meeting Notes

  • Disclosure Check needs a home & maintainer!
    • Michael would love more contributors from OpenSSF for this project so there isn’t a single point of failure for maintenance
      • There may be room within the OpenSSF SIRT budget down the line to get paid development/support for this
    • Michael will make his repo public and Crob will send an email out to the working group asking for support!
    • The repo under OpenSSF was made public today > https://github.com/ossf/disclosure-check
  • NVD worries
    • Unsure what the discussion was meant to be, so we can table it for now and discuss it at the next call
  • The Great Repository Audit
    • Proposal TL;DR > OpenSSF will perform these audits or give the projects the option to do it themselves and share the results, and includes:
      • Pentest of the firm < this would be publicly disclosed
      • Red team engagement against the organization < this would not be publicly disclosed
        • The methodology of exploitation will not be disclosed
    • Not yet included in the policy > want to include a bug bounty program to enable researchers to review this infrastructure at large after the audit is completed
    • Concerns?
      • How would we actually fund this? It’s $150,000 USD per artifact repository, macroeconomic constraints are very real
        • Current idea - Alpha Omega > OSTIF > OpenSSF
        • Desire to have one part time dedicated staff member (program manager) to run this
        • Depending on when we’d want to start, it could be included in a FY2024 budget (and may increase likelihood of receiving funding), but the group doesn’t have high confidence in this being funded sooner by the OpenSSF. Maybe there’s an opportunity to get funding elsewhere at first, and elsewhere down the line
      • Michael Scovetta & Crob are happy to help Jonathan work on funding proposals for this
    • Jonathan has involved folks from JFrog, Gradle, Chainguard, and Sonatype so far and they’ve been in favor of the proposal
      • He hasn’t been able to connect with many folks that are running the security of the package registries. The OpenSSF Securing Software Repositories WG used to have participation from these types of folks but that’s lost momentum over time

Sub-Projects

(leads, please enter updates to inform full group; highlight anything for larger group discussion)

OSS-SIRT SIG - [Plan](https://github.com/ossf/SIRT/tree/main/plan)
  • Presentation to GB being prepared; plan still under review
  • Have put SIG calls on hold until we get direction from GB
CVD Guide for Consumers - Issue [115](#115)
  • Seeking contributors to work on document
CVE Autofix - Issue [123](#123)

OpenVEX SIG

  • Adopted as SIG under WG. Waiting on Legal review/ip transfer.
  • Working on git repo and establishing regular calls
  • The next call is the first focused on development and maintaining the spec (technical focus) since moving to alternating focuses 🎉

OSV Project

  • Updates to come from the APAC meeting (hopefully!)

2023/05/24 - Autofix SIG

Attendees

(please Mark your name is black if you are here, or add-row name/email/affiliation if joining)

Name Email Affiliation Pronouns GH ID
Jonathan Leitschuh* [email protected] Open Source Security Foundation - Alpha Omega he/him Jlleitschuh
Yesenia Yser [email protected] LF/A-O cyberjiujiteira
Josh Buker [email protected] Cloud Security Alliance he/him joshbuker
Kris Borchers [email protected] he/him kborchers

Meeting Agenda

  • New Friends intros
    • Kris Borchers
  • Who wants to help out and scribe for us today?
    • None, just working on documents
  • OpenSSF Compliant Automated Vuln Fix Campaign
    • Comment and provide feedback
    • This will be turned into a “happy path story” for public
    • Communicate with outside of AutoFix SIG - Vuln Disclosure, TAC, and other
  • Doodle poll for new time

2023/05/17 - Autofix SIG

Attendees

(please Mark your name is black if you are here, or add-row name/email/affiliation if joining)

Name Email Affiliation Pronouns GH ID
Jonathan Leitschuh* [email protected] Open Source Security Foundation - Alpha Omega he/him Jlleitschuh
Josh Buker [email protected] Cloud Security Alliance he/him joshbuker
Yotam Perkal [email protected] Rezilion he/him pyotam

Meeting Agenda

  • New Friends intros *
  • Who wants to help out and scribe for us today?
    • None, just working on documents
  • Opens

2023-05-17 Vulnerabilities Disclosures

Attendees

(please Mark your name is black if you are here, or add-row name/email/affiliation if joining)

Name Email Affiliation Pronouns GH ID
CRob [email protected] Intel/OSSF he/him SecurityCRob
Madison Oliver [email protected] GitHub she/her taladrane
Jonathan Leitschuh [email protected] OpenSSF He/Him Jlleitschuh
Art Manion [email protected] zmanion
Nicole Schwartz [email protected] ActiveState she/her NicoleSchwartz/CircuitSwan
Ben Edgar [email protected] he/him
John Andersen [email protected] Intel he/him pdxjohnny
  • Book club! (half joking would be fun)
  • Who wants to help out and scribe for us today?
  • New Friends intros
  • CRob has a new role in OSSF, will need assistance in helping this WG
  • Opens
  • Updates from Sub-Projects

Opens

Meeting Notes

  • CRob was elected to chair TAC!
    • Looking for an active member to help lead this series
    • Jonathan and (tentatively) Madison to co-co-lead
  • Mobilization calls will be on hold as strategy evolves from governing board
  • Looking for contributors for OSS CVE guide for consumers
  • Autofix SIG - Jonathan
    • Meeting this afternoon - 5 PM ET
      • Will discuss document currently under review about how we’ll be fixing vulns at scale in open source
    • Outgoing doc has been approved by the TAC
      • CRob feels TAC repo is logically the landing spot
        • Vuln disclosure group is nested far and might be hard to find
  • OpenVEX - CRob
    • Great call last monday, will alternate between technical call (tooling and spec) and evangelism call (industry OASIS, CSAF, CycloneDX, SPDX) to get folks using OpenVEX
    • New exciting goose logo!
    • There is an Australian focused meeting for the OSV folks. Will explore collaboration there.
    • There is a mailing list for the OpenVEX sig
  • Opens
    • Johnathan
      • Working on a proposal for an idea
        • The great repo audit
        • OpenSSF funded by Alpha-Omega will engage in pentesting the major artifact servers.
        • Usually when you buy software you’d look for a pentest report, etc.
        • Because major artifact servers don’t have similar agreements, they are run as “public good” services, likely they haven’t been in scope for pentests before.
        • Dev publishes a package, uploaded, information rendered, anti-hajaking, potentially including the consuming infra (pip, verify=False???)
        • Would hire a pentest firm to do this.
        • Vuln disclosure policy would be applicable here
          • Some folks have said by the way introducing along with vuln disclosure policy sounds scary to pentesters
          • With a pentest report sometimes you’d have a bulk of disclosures. This would cause a slew of findings which could all end up in the same remediation timelines activated in parallel. This would be problematic from a response time perspective.
        • Would be good to ensure we have contacts and resources available to engage as findings come up.
        • Cloud leverage policy for critical and high vulns, exceptions for the others.
        • Would how we handle this project change based on who is managing the packaging registry/artifact server - a community run non-profit foundation vs. a corporate backing with more resources?
        • Official and verified package processes. In scope or out of scope?
          • Related?: SCITT: Use Case: Attestations of alignment to S2C2F and org Overlays
            • Focus on promotion and transparency service to track promotion reasoning from 3rd party to 2nd party (verified) or 1st party (official)
  • Notification mechanisms for new vulns (and VEX, and XYZ)

Sub-Projects

(leads, please enter updates to inform full group; highlight anything for larger group discussion)

OSS-SIRT SIG - [Plan](https://github.com/ossf/SIRT/tree/main/plan)
  • Presentation to GB being prepared; plan still under review
  • Have put SIG calls on hold until we get direction from GB
CVD Guide for Consumers - Issue [115](#115)
  • Seeking contributors to work on document
CVE Autofix - Issue [123](#123)

OpenVEX SIG

  • Adopted as SIG under WG. Waiting on Legal review/ip transfer.
  • Working on git repo and establishing regular calls

OSV Project

Meeting Notes:

20230426 - Autofix SIG

Attendees

(please Mark your name is black if you are here, or add-row name/email/affiliation if joining)

Name Email Affiliation Pronouns GH ID
Jonathan Leitschuh* [email protected] Open Source Security Foundation - Alpha Omega he/him Jlleitschuh
Munawar Hafiz [email protected] OpenRefactory
Yotam Perkal [email protected] Rezilion he/him pyotam

Meeting Agenda

  • New Friends intros *
  • Who wants to help out and scribe for us today?
  • Opens

2023-05-03

Attendees

(please Mark your name is black if you are here, or add-row name/email/affiliation if joining)

Name Email Affiliation Pronouns GH ID
David A. Wheeler [email protected] Linux Foundation
Madison Oliver [email protected] GitHub she/her taladrane
Jonathan Leitschuh [email protected] OpenSSF He/Him Jlleitschuh
Randall T. Vasquez [email protected] LF/Gentoo he/him ran-dall
Francis Perron (independent) u269c
Nathan Menhorn (AMD)
Art Manion [email protected] zmanion
Nicole Schwartz [email protected] ActiveState she/her nicoleschwartz/circuitswan
Marcus Meissner [email protected] SUSE he/him
Andres Orbe [email protected] he/him AOrps
Noah Spahn [email protected] The Open University noah-de
Yesenia Yser [email protected] OpenSSF Alpha-Omega cyberjiujiteira
Yotam Perkal [email protected] Rezilion he/him pyotam

Meeting Agenda

  • Who wants to help out and scribe for us today?
  • New Friends intros
  • Opens
  • Updates from Sub-Projects

Opens/Meeting Notes

  • Jonathan submitted a talk to DEFCON to present his vulnerability policy
  • Outgoing Vulnerability Disclosure Policy ratified by TAC
    • Next step: start a TAC level issue to determine where the policy should live
    • One issue: Google isn’t good at indexing GitHub pages
    • A GitHub Page/website (WordPress) could also be a way to share the policy (or any static document), but changes to it are a “code change” essentially
      • Does Google index GitHub pages well? Does GitHub encourage this indexing?
    • Overall desire to move to more version control for working group docs that isn’t Google Drive?
    • #122 (comment)
  • Quick review of what this WG is doing/threads/docs/topics? This might just be the Sub-Projects list. Also open GitHub issues.
  • Safe Harbor discussion (it was removed from the vulnerability policy) > LF legal wanted to remove the original safe harbor text that was drafted
    • Nicole: we can do a quick comparison of popular safe harbor policies (disclose.io, BugCrowd, etc.) to determine common elements and what we want to ensure is included in ours
      • David: That would be great! Please do! If there’s a general safe harbor policy that’s reusable already, let us know that too.
      • #128 (comment)
    • How does this look to the LF if we force projects that may not be mature enough or have the capacity to respond to vulnerability reports? Legal isn’t currently concerned
      • Are we / they (other projects, legal) ok with the fact some thing are / will be won’t fix - red herring it sounds like
      • David: Every OSS project should expect to receive bug reports, it’s hard to imagine what they expect otherwise.
      • Francis: The scope on the policy could help project maintainers here > we could focus on integration or deployment at the project level, and if it’s broader than that then recommend the reporter go upstream

Sub-Projects

(leads, please enter updates to inform full group; highlight anything for larger group discussion)

OpenSSF Calendar: [https://calendar.google.com/calendar/embed?src=s63voefhp5i9pfltb5q67ngpes%40group.calendar.google.com&ctz=America%2FNew_York](https://calendar.google.com/calendar/embed?src=s63voefhp5i9pfltb5q67ngpes%40group.calendar.google.com&ctz=America%2FNew_York)
OSS-SIRT SIG [Plan](https://github.com/ossf/SIRT/tree/main/plan)
  • Presentation to GB being prepared; plan still under review
  • May have been presented, still awaiting decisions
CVD Guide for Consumers - Issue [115](#115)
  • ❗Seeking contributors to work on document
Autofix SIG - Issue [123](#123)
  • Specification: OpenSSF Compliant Automated Vulnerability Fix Campaign
    • A specification ^ aiming to have highest impact for lowest pain of bulk vuln reporting to get a widespread bug fixed
  • Jonathan has been working on a flowchart for how vulnerabilities will be disclosed via automatic pull request generated (PMPVR)
  • Meetings every wednesday at 4pm eastern
    • We’ve had enough meetings to be adopted as its own SIG
    • This needs a vote to be adopted as it’s own SIG
OpenVEX SIG
  • 2023 OSSF OpenVEX SIG Meeting Notes
  • OpenVEX · GitHub
  • Adopted as SIG under WG. Waiting on Legal review/ip transfer.
  • Working on git repo and establishing regular calls (1500 EDT alternate Mondays)
    • We checked, OpenVEX meeting appears in the OpenSSSF calendar
  • Working on charter/scope/mission/goals, likely to include
    • OpenVEX specification
    • A higher-layer look at VEX as part of vulnerability management

OSV Project

Action items:

  1. Nicole open issue Wordpress v GitHub Page v other for searchability #122 (comment)
  2. Nicole update existing issue with example safe harbors and note what common elements they have #128 (comment)
  3. Should there be an issue/discussion about recommended VDP boundaries? (brought up as a note in the safe harbor discussion) i.e. don’t just dump automated tool results (cureate/test them) and sometimes things need to go upstream #122 (comment)
  4. CVD Guide for Consumers - Issue 115 ❗Seeking contributors to work on document ❗

Meeting Notes:

2023-05-01 Vulnerabilities Disclosures (added meeting)

Attendees

(please Mark your name is black if you are here, or add-row name/email/affiliation if joining)

Name Email Affiliation Pronouns GH ID
David A. Wheeler [email protected] Linux Foundation
Jonathan Leitschuh [email protected] OpenSSF He/Him Jlleitschuh
Jeffrey Borek [email protected] IBM he/him
Art Manion [email protected] zmanion
Jay White [email protected] Microsoft he/him camaleon2016
Chris de Almeida [email protected] IBM he/him ctcpip

Meeting Agenda

  • Who wants to help out and scribe for us today?
  • New Friends intros
  • Opens
  • Updates from Sub-Projects

Opens

Meeting Notes

20230427 - APAC CALL

Attendees

(please Mark your name is black if you are here, or add-row name/email/affiliation if joining)

Name Email Affiliation Pronouns GH ID
CRob [email protected] Intel/OSSF he/him SecurityCRob
David A. Wheeler [email protected] Linux Foundation david-a-wheeler
Madison Oliver [email protected] GitHub
Andrew Pollock [email protected] Google/OSV he/him andrewpollock
Jonathan Leitschuh [email protected] Open Source Security Foundation He/Him JLLeitschuh
Noah Spahn [email protected] Open University noah-de
Josh Buker [email protected] Cloud Security Alliance he/him joshbuker

Meeting Agenda

  • Who wants to help out and scribe for us today?
  • New Friends intros
  • Opens
  • Updates from Sub-Projects

Opens

Meeting Notes

Sub-Projects

(leads, please enter updates to inform full group; highlight anything for larger group discussion)

OSS-SIRT SIG - [Plan](https://github.com/ossf/SIRT/tree/main/plan)
  • Presentation to GB being prepared; plan still under review
CVD Guide for Consumers - Issue [115](#115)
  • Seeking contributors to work on document
CVE Autofix - Issue [123](#123)
  • Proposal: Open Source Security Foundation Outbound Vulnerability Disclosure Policy
  • Review of outstanding comments on the doc:
    • Current version text around disclosing zero days: “The Publication Date for a 0-day will be accelerated, typically** at most** 7 days of the Notice Date.”
    • Suggested change: “The Publication Date for a 0-day will be accelerated, typically to within 7 days of the Notice Date.”
    • Discussion:
      • Jonathan: 7 day maximum is intentional and there is a clause in the doc to give the ability for changing the timeline. There’s also a clause to make exceptions to the timeline for extreme circumstances, and the expectation is that if a fix can’t be supplied in 7 days, then mitigations would be provided for end users.
      • David & Crob: in favor of adding the flexibility that the change proposes. The impact of the vulnerability may impact the timeline, so changing it to “within” allows for that. “At most” or “always” are too strong of terms to use because it may not apply appropriately more generally.
  • We should keep reviewing what other code hosting services offer besides GitHub’s private vulnerability reporting that allow for submitting fixes using automation to ensure that they fit the process workflow. At least look at GitLab. See:

OpenVEX SIG

  • Adopted as SIG under WG. Waiting on Legal review/ip transfer.
  • Working on git repo and establishing regular calls

OSV Project

Meeting Notes:

  • OpenSSF Inbound Security policy (Luigi proposed)
  • David A. Wheeler: I’m trying to gen up an LF-wide security policy telling researchers (finders) how to report vulnerabilities.
    • My expectation is that it’ll basically say, “follow the policy of the relevant foundation/project. For LF infrastructure & website, email [email protected]”.
    • So yes, OpenSSF will still need their own. But it will help researchers find it.
    • Once I get more eyes on it, want to share it with this group.
    • Trying to work out a legal “safe harbor” text - hard, some attackers try to pretend to be legitimate researchers.
    • Would like to create a generic text, at least for the safe harbor, so others can reuse. Don’t have one yet, if you have suggestions, please let me know.

20230426 - Autofix SIG

Attendees

(please Mark your name is black if you are here, or add-row name/email/affiliation if joining)

Name Email Affiliation Pronouns GH ID
CRob [email protected] Intel/OSSF he/him SecurityCRob
Jonathan Leitschuh* [email protected] Open Source Security Foundation - Alpha Omega he/him Jlleitschuh
Munawar Hafiz [email protected] OpenRefactory
Yesenia Yser [email protected] LF/A-O cyberjiujiteira
Josh Buker [email protected] Cloud Security Alliance he/him joshbuker
Michael Scovetta [email protected] Microsoft / OpenSSF Alpha-Omega he/him scovetta
Noah Spahn [email protected] Open University noah-de

Meeting Agenda

Meeting Notes

20230419

Attendees

(please Mark your name is black if you are here, or add-row name/email/affiliation if joining)

Name Email Affiliation Pronouns GH ID
CRob [email protected] Intel/OSSF he/him SecurityCRob
Madison Oliver [email protected] GitHub she/her taladrane
Jennifer Mitchell [email protected] Tidelift
Jonathan Leitschuh [email protected] OpenSSF He/Him Jlleitschuh
Randall T. Vasquez [email protected] LF/SKF/Gentoo he/him ran-dall
Kayla Underkoffler (HackerOne)
Nathan Menhorn [email protected] (AMD) nathan-menhorn
Jeffrey Borek [email protected] IBM he/him
Josh Buker [email protected] Cloud Security Alliance he/him joshbuker
Olle E Johansson [email protected] Edvina he/him oej
Noah Spahn [email protected] Open University noah-de
Nicole Schwartz [email protected] ActiveState she/her nicoleschwartz/amazonv
Michael Scovetta [email protected] Microsoft / Alpha-Omega he/him scovetta
Marcus Meissner [email protected] SUSE he/him
Avishay Balter [email protected] Microsoft he/him balteravishay
Andres Orbe [email protected] he/him AOrps
Brian Behlendorf [email protected] OpenSSF he/him brianbehlendorf
Sandipan Roy [email protected] Red Hat he/him ByteHackr
Brian Russell [email protected] Google / Alpha-Omega he/him brianrussell2
Yesenia Yser [email protected] OpenSSF Alpha-Omega cyberjiujiteira

Meeting Agenda

  • Who wants to help out and scribe for us today?
  • New Friends intros
  • Opens
  • Updates from Sub-Projects
  • David A. Wheeler: Possible idea - LF-wide [policy] text to encourage vulnerability reporting. Current draft text, what do you think?
    • If you find a security vulnerability in the software developed by an LF foundation or project, please report the vulnerability directly to that foundation or project, using their vulnerability reporting process and policy. Examples of such processes/policies are those of FINOS, the Linux kernel, Kubenetes, Zephyr, and Yocto. Feel free to browse our list of foundations/projects.
    • If a specific LF project doesn’t state how to report a vulnerability, report the vulnerability to the foundation that runs the project using its process. Also, if an LF project or foundation doesn’t make it clear how to report vulnerabilities, please ask them to define their process and make it clear, so that you can then report the vulnerability. If a project doesn’t respond in any way to a report, after some time (by default 21 days) retransmit it several times in case it was dropped, and give them time to fix it before making the vulnerability public (by default 90 days from the initial report). If the project/foundation is marked as no longer being maintained (e.g., it is “archived” or “abandoned”), then reporters may directly report the vulnerability to the public, but they must also clearly note that the project is already marked as being no longer maintained.
    • If you maintain an LF project, or lead an LF foundation, we ask that you take steps to (1) make it easy for vulnerability finders (security researchers) to report vulnerabilities, and (2) be ready to receive those reports. The OpenSSF “Guide to implementing a coordinated vulnerability disclosure process for open source projects” can help you do that. As noted above, typically vulnerability reports are sent to security@YOUR_DOMAIN and/or GitHub private reporting; this should be noted in a SECURITY.md file and README file. We also encourage you to make vulnerabilities less likely. For example, we encourage you to learn how to develop secure software, as well as use practices (see OpenSSF Security Scorecards and the OpenSSF Best Practices badge). Each LF foundation and project is expected to try to develop software that is adequately secure for its purpose and to apply good practices to counter attacks (including supply chain attacks), and continuously improve.
    • Older plan was “[email protected]” would be the reporting location of last resort for LF foundations/projects. But that might delay reporting & creates work at the wrong place, so instead, will use that only for LF infrastructure & website, otherwise just send to project/foundation
    • Lazy consensus: Think it’s a good idea?
    • Need to sort who will handle [email protected] (multiple people) - that has already been done, it’s LF IT.
    • We’d love to have specific traces from a vulnerability to specific code changes
      • David: That’s not something many will agree with, and in fact, many will specifically oppose. It’s more important to get a report & fix it; traceability is nice, but do not plan to require it as that will mean we can’t get it out the door.
    • We’d love to have details about a vulnerability fixed included as part of a release
      • David: I agree, but I don’t think we can get that agreement LF-wide. Let’s work on what we CAN get agreement on now, and possibly add that in the future once we can gain such agreement. We might be able to add that long-term. Again, the current focus is to get the information & fix the vulnerability in a new release
    • Concern: Is there a central repository of LF-owned domains?
      • Not that I know of.
      • We could ask LF IT to create & maintain that list (e.g., on linuxfoundation.org)
    • Want to offer a safe harbor.
      • CRob: I know Amit, she has a lot of experience on safe harbor text. Amit’s a lawyer.
      • Jonathan: I have Gradle’s text.
      • From a legal risk perspective, the easiest thing to do is nothing. The next best is reporting anonymously. Don’t force “must follow this process exactly or safe harbor doesn’t apply” - Jonathan Leitschuhwill work with legal to try to do that.
      • Will also need to “get the word out” to LF projects.
    • SIRT could in theory do the routing.
    • If possible, it’d be good if the project could say “here’s what we fixed” in its release
    • No one opposes!
  • Luigi Gubello: review and approve the OpenSSF Inbound Security Policy, in time for the LF Vulnerability Reporting process. In particular:
    • Approve the In-Scope list
    • Create the security contact [email protected] and give access to some people (WG vulnerability-disclosures and Alpha/Omega team might be two good candidates) - currently [email protected] goes to operations.
    • [Scovetta] It would be nice to adopt Security Insights across OpenSSF projects (and advocate for it broadly) since it includes programmatically readable reporting mechanisms.
    • We could permit PGP in the future, but definitely don’t require it & is not a blocker.
    • Most people will not use PGP, it’s too hard. If the goal is to encrypt emails, hop-by-hop encryption is easy to use, automatic (STARTTLS & MTA-STS) and more than sufficient. GitHub private reporting also works.
  • Jonathan Leitschuh: Review feedback from LF Legal on Proposal: Open Source Security Foundation Vulnerability Disclosure Policy
    • The word “policy” has some specific expectations
    • Maybe a partner document with the policy that includes procedure & notes.
    • Jonathan L. will go through. He will probably have another meeting next Wednesday same time to make a final pass of this document. LF Legal will need to review it.
  • Michael Scovetta: PoC tool to detect disclosure mechanisms for a given open source project. Parses metadata, readme/security.md, Github PVR, Tidelift, etc. and tries to make it easier. Happy to donate to OpenSSF. Should be pip install disclosurecheck or similar by next week. https://github.com/scovetta/disclosure-check. Feel free top open issues in the repo for now.

>>>>> gd2md-html alert: inline image link here (to images/image1.png). Store image on your image server and adjust path/filename/extension if necessary.
(Back to top)(Next alert)
>>>>>

alt_text

* Add support for https://datatracker.ietf.org/doc/html/rfc9116 (security.txt) and securitytxt.org


Jenkins appears to require JIRA for security reports, in part because it counters spam.


Mass reportings - often outsourced to HackerOne.


FIRST CSIRT/PSIRT - https://www.first.org/members/teams/

Opens

  • OSS-EU CFP closes early May! Submit now to hold a talk in Spain!
    • OSSF Day EU CFP will be forthcoming

Meeting Notes

Sub-Projects

(leads, please enter updates to inform full group; highlight anything for larger group discussion)

OSS-SIRT SIG - [Plan](https://github.com/ossf/SIRT/tree/main/plan)
  • Presentation to GB being prepared; plan still under review
CVD Guide for Consumers - Issue [115](#115)
  • Seeking contributors to work on document
CVE Autofix - Issue [123](#123)

OpenVEX SIG

  • Adopted as SIG under WG. Waiting on Legal review/ip transfer.
  • Working on git repo and establishing regular calls
  • Documenting Mission, Vision & goals for group

OSV Project

Meeting Notes:

20230412 - Autofix SIG

Attendees

(please Mark your name is black if you are here, or add-row name/email/affiliation if joining)

Name Email Affiliation Pronouns GH ID
Jonathan Leitschuh* [email protected] Open Source Security Foundation - Alpha Omega he/him Jlleitschuh
Kasimir Schulz [email protected] (Trellix) he/him
Yesenia Yser [email protected] LF/A-O cyberjiujiteira
Josh Buker [email protected] Cloud Security Alliance he/him joshbuker
Jordan Harband [email protected] OpenSSF he/him ljharb
Aavash Chhetri [email protected] he/him A-atmos
Andres Orbe [email protected] he/him AOrps
Noah Spahn [email protected] Open University noah-de
Matt Rutkowski [email protected] IBM he/him mrutkows

Meeting Agenda

  • New Friends intros
    • Jordan Harband - OpenSSF
    • Andres Orbe - NJIT
    • Aavash Chhetri
  • Who wants to help out and scribe for us today?
    • Josh & Yesenia
  • Opens
    • None today
  • Discussions:
    • High level overview of the group
      • Addressing vulnerabilities at scale (e.g. 65,000 packages in a single campaign) while doing that in a way that is respectful of package maintainers.
    • Specification: OpenSSF Compliant Automated Vulnerability Fix Campaign
      • Set of standards, that if followed, allows vuln campaign authors to leverage the OpenSSF name.
      • Jordan: Approach currently being taken is slightly different than how they would approach it.
        • Split the automated patching to ensure positive maintainer relationship + highest impact
        • “Warm fuzzies of open source security”
        • Private vulnerability reporting (PVR) - two general groups, those who have PVR enabled, and those who are unaware of PVR.
          • Also some folks who would enable PVR on a project, but don’t have the permissions to do so.
        • Best practice in the interim has been having security reporting (e.g. SECURITY.md with contact information)
        • Feels that we should follow the security reporting guidelines/policy even if it hinders automation efforts
        • How do we balance not overburdening the maintainers and enabling large scale vuln fix campaigns
        • Ideal solution would be PVR being opt-out rather than opt-in
        • Notify “group” in one location, not multiple notification for the same “group” (organization/etc)
        • Currently there isn’t a good mechanism to know if PVR is enabled at the repo or org level.
        • “Please enable PVR” is the biggest concern
          • If there isn’t a security policy, less obnoxious from the maintainer perspective. But, if there is a policy in place for how to report, it can be very irritating to get “Please enable PVR” issues for each repo.
      • Josh
        • Repo host - enabled by default and more integrated feature (dependent on the SCM tool)
      • Jonathan: Org level SECURITY.md worth distinguishing from repo SECURITY.md?
        • Apache foundation, Eclipse, others that are unknown can trip up this logic - can be under one GitHub org but ran by multiple groups
        • Matt: Yes, in fact there was an OpenSSF specific security file:
      • PVR is dependent on the platform support
        • Workaround where unavailable: Notify of a vulnerability but don’t include specific details. Request enabling PVR as a part of the notification
        • Can’t be proscriptive without more context and experience with how these campaigns are received in practice
        • SECURITY.md is an example of maintainers providing preferred method of communication
    • Links:

20230405

Attendees

(please Mark your name is black if you are here, or add-row name/email/affiliation if joining)

Name Email Affiliation Pronouns GH ID
CRob [email protected] Intel/OSSF he/him SecurityCRob
David A. Wheeler [email protected] Linux Foundation
Madison Oliver [email protected] GitHub she/her taladrane
Jennifer Mitchell [email protected] Tidelift
Yesenia Yser [email protected] OpenSSF’s Alpha-Omega she/her cyberjiujiteira
Nathan Menhorn [email protected] AMD nathan-menhorn
Nicole Schwartz [email protected] (ActiveState) She/Her NicoleSchwartz & CircuitSwan
Sandipan Roy [email protected] Red Hat He/Him ByteHackr
Jay White [email protected] Microsoft he /him camaleon2016
Paulo Flabiano Smorigo [email protected] Canonical he / him pfsmorigo
Josh Buker [email protected] Cloud Security Alliance he/him joshbuker
Art Manion [email protected] zmanion
Munawar Hafiz [email protected] OpenRefactory
Chris de Almeida [email protected] IBM he/him ctcpip

Meeting Agenda

Opens

Sub-Projects

(leads, please enter updates to inform full group; highlight anything for larger group discussion)

OSS-SIRT SIG - [Plan](https://github.com/ossf/SIRT/tree/main/plan)
  • Presentation to GB being prepared; plan still under review
CVD Guide for Consumers - Issue [115](#115)
  • Seeking contributors to work on document
CVE Autofix - Issue [122](#122)

OpenVEX SIG

  • Adopted as SIG under WG. Waiting on Legal review/ip transfer.
  • Working on git repo and establishing regular calls
  • Seeking logo ideas for project

OSV Project

  • Seeking to gain additional adoption and ways to better integrate with the WG work.
  • (see 20230329 notes)

Meeting Notes

  • New Friends intros
    • Josh Buker
  • Open Source Summit-North America (Vancouver, BC) WG/SIG peeps showcase
  • OSS EU CFP open until May (OpenSSF Day CFP will be opening soon):
    • Spain this year
    • If you need assistance from the group, last time we did abstract feedback or co-presenters reach out
    • You can re-submit talks from Vancouver there is only a 60% overlap of attendance
  • OSS Asia
    • There will be a asia summit but no details yet
  • Updates from Sub-Projects
    • SIRT-SIG under review - getting “more executive” blush up
    • We should get some feedback and potential funders if anyone is interested in the next few weeks
  • Auto-Fix SIG
  • VEX
    • First call was on ? (last week)
    • How do we get industry to use more VEX, like scanners
    • Logo was a conversation
    • Everyone is welcome to come participate
  • OSV Project Monthly call APAC friendly
    • When that video is up and running you can watch that
    • Goal: How to get better integrated into our working group, looking for ideas - reach out in Slack or attend a meeting
    • You can get information from our Git Repository, they also have their own slack channel # OSV_Schema
  • Open Source Security Foundation Security Policy - Luigi Gubello - Time box to 15 min
    • #128
    • Proposal: Call this a “vulnerability disclosure” policy - it doesn’t cover all about security
    • Luigi had suggested a consistent security.md file for use throughout the foundation
    • Please title it [google document] vulnerability disclosure as it is not covering everything related to security so the title and contents match [not the security file itself]
    • There is a template already in our guide for maintainers we should leverage
    • There are one or two other disclosure policy discussions ongoing - including one on outgoing reports - and possibly already an inbound
    • This is the same one
    • This would be a model (template) for everyone who wants to adopt it
    • Everyone should look at this file and provide feedback, ideally by next call, as we can then ask it to be part of the default collateral when making new projects within the foundation.
  • David A. Wheeler: GitHub private reporting - add that?
    • See: ossf/oss-vulnerability-guide#47
    • They have announced a formal beta for a private reporting capability which makes it much easier to accept vulnerability reports
    • This is time sensitive as there are other items in process that would refer to this
    • Is everyone ok with recommending (not requiring) this?
      • Approved by the group
  • David A. Wheeler: Possible idea - LF-wide [policy] text to encourage vulnerability reporting. Current draft text, what do you think?
    • If you maintain an LF project, or lead an LF foundation, we ask that you take steps to (1) make it easy for vulnerability finders (security researchers) to report vulnerabilities, and (2) be ready to receive those reports. The OpenSSF “Guide to implementing a coordinated vulnerability disclosure process for open source projects” can help you do that. As noted above, typically vulnerability reports are sent to security@YOUR_DOMAIN and/or GitHub private reporting; this should be noted in a SECURITY.md file and README file. We also encourage you to make vulnerabilities less likely. For example, we encourage you to learn how to develop secure software, as well as use practices (see OpenSSF Security Scorecards and the OpenSSF Best Practices badge). Each LF foundation and project is expected to try to develop software that is adequately secure for its purpose and to apply good practices to counter attacks (including supply chain attacks), and continuously improve.
    • Summary [TL;DR]? The LF as a backstop last resort if i can’t find a specific owner, i can use security @ as a backstop for reporting issue with LF projects.
      • Art Manion has been looking at something like this and wants to make sure there is not a conflict / it is at the right level
    • TBD based on funding where the destination for the mailbox would be/go
    • We expect this to end up catching infrastructure level reports as there is not currently a good location for these today [reports today on DNS for example]
      • The email address already exists
      • The discussion needs to occur on what group/people will monitor this as >1 person is needed
    • Ideally the LF would have a better way to find/contact projects
    • The group is fine with it
  • Jonathan Leitschuh - the document discussed last meeting has been submitted and we are awaiting feedback on it
  • Jonathan Leitschuh - API for vulnerability (private) reports is coming to allow opening reports in the API in the next few weeks

20230330 - APAC CALL

Attendees

(please Mark your name is black if you are here, or add-row name/email/affiliation if joining)

Name Email Affiliation Pronouns GH ID
CRob [email protected] Intel/OSSF he/him SecurityCRob
Andrew Pollock [email protected] Google/OSV he/him andrewpollock
Oliver Chang [email protected] Google he/him oliverchang
Chris de Almeida [email protected] IBM he/him ctcpip

Meeting Agenda

Opens

Meeting Notes

  • Good notes are good
  • WG held a vote. It was exciting. Majority elected endorse OpenVEX joining the Vuln Disclosure WG. Doodle poll closing in 48 hours to schedule recurring meeting for this topic.
  • CRob already involved with CISA’s VEX/SBOM efforts
  • OpenVEX toolset as an added option
  • Planning on working with OASIS, CSAF, CycloneDX to build consensus
  • Jonathan has a doc out for review on disclosure policy. Waiting for TAC review, not sure how to get it on their radar. Add to doc for future meeting items. (Short items only?) Email the TAC list with pre-read.
  • Update on autofix
    • meetings still occuring Wed 4pm Eastern
    • Try to do private disclosure where services provide an API to do so
  • GitHub API to support getting private repo disclosures from GHSAs and API for updating
    • Currently writing Py GitHub bindings, link in Slack channel
  • Open Source Security Foundation Security Policy proposed for OpenSSF repos
    • Out for feedback, no further steps at present. Feel free to review/converse about on Slack etc (point of contact is Luigi Gubello)
  • How do we better integrate OSV with the working group?
    • A blog post (for the OpenSSF blog) is planned explaining what OSV is, what we’re doing etc
    • General update
      • Advocate for more databases to adopt the OSV schema as a format
      • Rocky Linux is supporting it natively as of recently (we’re yet to ingest it)
      • Lacking Linux distribution support, would like more of them to get on board
      • Advocacy is always appreciated
      • Engage with the CVE Program and NVD on challenges with ingesting CVEs and improving data quality
        • Participating in AWG and QWG
      • Also working on getting more CVEs into OSVs
      • NVD seems to have some issues with adopting CVE 5.0
      • Advocating for more openness in contributing data improvements, e.g. GHSA. Make things streamlined.
    • 3 areas the WG and Foundation can help
      • Distros: 3 in the foundation (SuSe, Canonical, Red Hat)
      • Preference for these is native adoption
      • CVE Board: CRob knows and works with some board members. Historically OpenSSF has been working with them.
      • Upcoming conferences
      • Podcast
      • Big announcements: add to agenda, tell CROb :)
  • Andrew Fryer: popping by, grad student interested in Fuzzing
    • Oliver Chang also works on OSS Fuzz 🙂

Sub-Projects

(leads, please enter updates to inform full group; highlight anything for larger group discussion)

OSS-SIRT SIG - [Plan](https://github.com/ossf/SIRT/tree/main/plan)
  • Presentation to GB being prepared; plan still under review
CVD Guide for Consumers - Issue [115](#115)
  • Seeking contributors to work on document
CVE Autofix - Issue [123](#123)

OpenVEX SIG

  • Adopted as SIG under WG. Waiting on Legal review/ip transfer.
  • Working on git repo and establishing regular calls

OSV Project

Meeting Notes:

20230329 - Autofix SIG

Attendees

(please Mark your name is black if you are here, or add-row name/email/affiliation if joining)

Name Email Affiliation Pronouns GH ID
Jonathan Leitschuh* [email protected] Open Source Security Foundation - Alpha Omega he/him Jlleitschuh
Munawar Hafiz [email protected] OpenRefactory
Josh Buker [email protected] Cloud Security Alliance he/him joshbuker
Michael Scovetta [email protected] Microsoft / OpenSSF Alpha-Omega he/him scovetta
Azeem Shaikh [email protected] Google he/him azeemshaikh38

Meeting Agenda

Opens

  • GitHub vulnerability reporting API (coming shortly)
    • Listing advisories in a repo
    • Update single advisory with a patch
    • List a single advisory
    • Create an advisory in a repository
    • Web hooks
    • Coming soon: Comments, forks
    • Problem ran into: Avoiding duplicate PRs
    • Azeem: Question - considered having an App to avoid the rate limiting issue?
      • Jonathan: Not sure if Moderne supports using a different App, also limited by what repos accept the app
  • Discussion on automating disclosure
    • Balance needs of maintainer w/ community
    • How about projects that have issues disabled?
      • Attempt manual? Try for ~3 months to see what the actual volume is?
    • (Scovetta) We should do our best to route everything through private disclosure.
    • Discussion on using GHSA within the finder's account to privately disclose as a fallback.
  • Opt out - see this discussion

Meeting Notes

  • Jonathan: 6 hours max time to run a campaign is the ideal.

20230329

Attendees

(please Mark your name is black if you are here, or add-row name/email/affiliation if joining)

Name Email Affiliation Pronouns GH ID
Jonathan Leitschuh [email protected] Open Source Security Foundation He/Him JLLeitschuh
Randall T. Vasquez [email protected] Gentoo he/him ran-dall
Jay White [email protected] Microsoft he/him camaleon2016
Yesenia Yser [email protected] OpenSSF Alpha-Omega cyberjiujiteira
Arnaud Le Hors [email protected] IBM he/him lehors \
Michael Scovetta [email protected] Microsoft / OpenSSF Alpha-Omega he/him scovetta
Bernal Murillo IBM

Meeting Agenda

Opens

Meeting Notes

20230322

Attendees

(please Mark your name is black if you are here, or add-row name/email/affiliation if joining)

Name Email Affiliation Pronouns GH ID
CRob [email protected] Intel/OSSF he/him SecurityCRob
Jonathan Leitschuh [email protected] Open Source Security Foundation He/Him JLLeitschuh
Crystal Hazen (HackerOne)
Randall T. Vasquez [email protected] Gentoo he/him ran-dall
Kayla Underkoffler (HackerOne)
Tracy Miranda Chainguard she/her
Avishay Balter [email protected] Microsoft he/him
Fridolin Pokorny [email protected] Datadog he/him fridex
Nicole Schwartz [email protected] ActiveState She/her AmazonV and NicoleSchwartz
Noah Spahn [email protected] Open University noah-de
Namita Madhira Comcast She/her
Arnaud Le Hors [email protected] IBM he/him Lehors \
Sandipan Roy [email protected] Red Hat he/him ByteHackr
Luigi Gubello [email protected] Pitch luigigubello
Munawar Hafiz [email protected] OpenRefactory openrefactorymunawar

Meeting Agenda

Opens

Meeting Notes

  • Starting with new friends
    • Nicole Schwartz is back after swapping companies
    • Luigi - usually in another group but has been posting a bunch so here
    • Namita - has been in best practices but new to this group
  • Vulnerability Disclosure Policy - Jonathan
    • I want to be able to submit this to legal and TAC?
    • Want to review open comments and concerns and resolve them
    • Issue with deadline -
      • CRob 90 days may not be enough time what happens if it goes beyond
      • +1 certain actors are using the 90 days to their favor when it may not be enough
      • It’s intended to be slightly flexible, but you need a timeline ref: project 0 FAQ if you don’t have one and don’t enforce it vendors continue to move forward with not fixing things in a timely manner
      • Crob your targeting OSS maintainers as they are not a company and not beholden to dates
      • Replace == time limit
    • Request to be non us centric with calling out working days and holidays - substitution to major public holidays as that can be negatively taken by international maintainers
      • Noting it is important to strike a balance between being palatable (flexible) while still being able to set expectations
    • Define “extreme circumstances”
      • Perhaps set example instead of define?
      • Earthquake?
      • Add additional examples as desired
    • Patch is schedule = Remediation
      • What if it is easier to do a configuration file change and a proper fix at a later date
      • We are setting the outer bounds, if a maintainer wants to accelerate that they can
      • But not everything is fixed by patch they could instead turn off a service
      • Remediation is more readily understood by non developer users
      • Remediation is a better catch all, where mitigation and things can have specific things people think of
      • Calling out the verbiage as we may want to be aware remediation steps may begin, or start within the time limit, of 14 days
        • Remediation steps should be the maintainers - it could include starting with a hot fix (band aid)
        • Sometimes the remediation is not able to be completed within a timeframe the security researcher wants - the ultimate fix may vary - there could be regressions.
        • We are trying to get this to be flexible?
        • Yes but if there is a complex ecosystem or maintainer can’t reach timeline we need to be able to negotiate and avoid boxing ourselves in and help downstream manage risk
    • 21 day mitigation paragraph
      • If we have direct confirmation the report has been received, but not acknowledged *
      • Only disclose at 21 days if the report has been received
        • But not getting acknowledgement of receipt - using ghosting as avoidance or it could be them not being there
        • Dependencies that are popular are maintained by one person who may be on vacation
        • In europe it is common that people go on vacation for 4-5 weeks and don’t touch their phone. 5 weeks we can get creative with alternative ways to reach the maintainer.
        • Is there a - who do we contact? Is there a standard way?
      • Q: will open ssf release a patch
        • Not a hard requirement
      • Statement about “7 days is appropriate”
        • Request to table for a week
          • Jonathan to schedule a meeting
        • Back on topic - attempt to avoid a specific amount of days to lock in
          • Could need to be faster? Yes
          • There could be legal terminology needs/concerns
          • Emergency scenarios like embargo leaks
          • Warning could be pedantic and literal interpretations of terminology to avoid a specific number people obsess over
          • Most people will address within the timeline but we like to reserve this
          • I want to be able to put things up front they can look at and avoid surprises and not we’re making it up on the fly - we’re applying this uniformly to all maintainers
          • Many people don't’ read and just skim looking for numbers
          • +1 ^ & widespread adoption needs to be flexible, as time progresses we can add more structure - getting people to understand what we are trying to do, more people will be willing to work with you instead of identifying edge cases which can derail the conversation
          • Active exploitation is rare, if it’s a one person project, tends to happen in larger projects like struts, we are unlikely to be placing this on these smaller maintainers
  • OPEN VEX
    • 11 members voted in favor of adoption, 5 against, many abstentions
    • This is now a member project
    • TAC needs to formally vote and go on legal review of IP and have it transferred to the foundation
    • Any additional feedback or comments
    • https://github.com/openvex/spec
    • Thank you for everyone who participated and gave your time and attention we had a lot of good feedback to consider as we move forward
  • Security Policy - hold for next meeting & can discuss on slack (there is a conversation started there)
    • I am working on format to share security information about a project. Some of our platform did not have a security.md or a way to contact maintainers. I propose we have one that covers all of ours as a default and individual maintainers can have their own if desired. A generic email and using github private to report. Needs to be easy to read - how to report - how we communicate. I don’t think we need lots of details and add complexity. I have based it on the wrapper you suggested and then added a bit more context especially the main change is we use private issues primarily and email as secondary. It is not perfect. We can adapt and improve based on incoming reports. Some more popular projects may get more than others and we are likely to get a number of false positives to start. Grammar edits welcome.
    • Consistent across foundation projects - since we recommend it
    • There is now a valid email in that document because a vuln had to be reported
      • Many thumbs up
    • Next step: formally log in the issue tracker and keep it on the docket in order to get implemented
    • Please review the document and provide comments quickly
  • What is the process to move forward something to the TAC
    • Create an issue and submit to TAC - next meeting is results of tac election so likely would not have time - don’t wait get issue created and submitted (email) so it’s in the queue

Sub-Projects

(leads, please enter updates to inform full group; highlight anything for larger group discussion)

OSS-SIRT SIG - [Plan](https://github.com/ossf/SIRT/tree/main/plan)
CVD Guide for Consumers - Issue [115](#115)
CVE Autofix - Issue [123](#123)

Meeting Notes:

20230315 - Autofix SIG

Attendees

(please Mark your name is black if you are here, or add-row name/email/affiliation if joining)

Name Email Affiliation Pronouns GH ID
Jonathan Leitschuh* [email protected] Open Source Security Foundation - Alpha Omega he/him Jlleitschuh
Matt Smith (Google)
Olga Kundzich [email protected] Moderne/OpenRewrite
Josh Buker [email protected] Cloud Security Alliance he/him joshbuker
Yotam Perkal [email protected] Rezilion he/him pyotam

Meeting Agenda

Meeting Notes

    1. Messaging and 4. Opt-out
  • GitHub private PR
  • Normal flow is to ask maintainer to open a GHSA to allow the private communication
  • New feature for security researchers to disclose the vulnerability privately, but it is an opt-in feature
  • GHSA does not have a public API, limited to UI, can’t scale it up with tooling
    • API is coming soon, maybe in next 2-3 weeks
  • Opt-out mechanisms
    • .github/GH-ROBOTS.txt and others
  • Granularity
    • Global disable?
    • Per submitter
    • Per repository
    • Per branch to only receive PRs for maintained branches for supported versions of products
  • There can be a GSD id regardless of the package maintainer opting out
    • There can still be a diff
  • It may get messy if PRs are made against many branches
  • Default to PR against main branch
  • Enabling private PR by default is related to one of the biggest complaints by package maintainers that the PR can expose the presences of a vulnerability
    1. Mandatory Private Disclosure
    • Private disclosure to top 10000 critical projects
      • There are challenges about private disclosures at scale for projects that opt out of private disclosures
    • Do we build the doc around what is currently supported, then modify it once new features come out?
      • For near term features that will land before document is finalized, keep updating doc, for long-term problems, move to another section or future facing version of the doc
    • Currently, no platform supports private disclosures via API
    • There is no standardized channel to disclose manually
    • The maintenance of the list, top 10 on the list have manual update challenges, tabled until next meeting.
  • Centralized page for campaign
    • Not clear if information cannot all be contained in PR
    • Will follow up to understand details of requirements better
  • Add information about 3rd party review of code generator
    • To add confidence that the campaign
  • Not having sponsorship
    • Open up to broader group for discussion

20230308

Attendees

(please Mark your name is black if you are here, or add-row name/email/affiliation if joining)

Name Email Affiliation Pronouns GH ID
CRob [email protected] Intel/OSSF he/him SecurityCRob
Madison Oliver [email protected] GitHub she/her Taladrane
Jonathan Leitschuh [email protected] (Dan Kaminsky Fellowship - HUMAN) He/Him JLLeitschuh
Randall T. Vasquez [email protected] Gentoo he/him
Francis Perron (Independent) u269c
Nathan Menhorn [email protected] (AMD) nathan-menhorn
Tracy Miranda Chainguard she/her
Avishay Balter [email protected] Microsoft he/him
Fridolin Pokorny [email protected] Datadog he/him fridex
Brandon Lum [email protected] Google he/him lumjjb
Jay White [email protected] Microsoft he/him camaleon2016
Olle E. Johansson [email protected] Edvina AB he/him oej
Yesenia Yser [email protected] OpenSSF Alpha-Omega cyberjiujiteira
Adolfo García Veytia [email protected] Chainguard he/him/él puerco

Meeting Agenda

  • Who wants to help out and scribe for us today? [email protected]
  • New Friends intros
    • Olle! Welcome!
    • Tracy! Welcome!
    • Brandon! Welcome!
    • Adolfo! Welcome!
  • Opens
  • Updates from Sub-Projects
    • .
  • [CRob] Upcoming TAC elections:
    • Voter Eligibility (Electorate) Self-Nomination Process
      • Any contributor to OpenSSF working groups or initiatives is eligible to participate in the election. Valid contributions include: commits or submitted pull requests via Github; public edits or comments on Google docs or other work products associated with OpenSSF; posting messages to any mailing list or on Slack; and beyond that any other form of positive engagement with OpenSSF activities. The form asks you for an example of your contributions; this is merely to make it easier for election observers and OpenSSF staff to validate. If you have in any way been involved in or care about OpenSSF, but are in doubt as to whether your contribution “counts”, please fill it out anyways, and we will follow up.
      • Deadline: March 12, 2023
      • Voter Eligibility Self-Nomination Form
    • TAC Self-Nomination Process
      • The OpenSSF Technical Advisory Council (TAC) is composed of seven total individuals, four of whom are elected annually. If you are interested in serving on the TAC, and qualify as an eligible voter as above, please complete the self-nomination form below,
      • Deadline: March 12, 2023
      • TAC Candidate Self-Nomination Form
    • SCIR Self-Nomination Information and Process
      • Since early in its existence, the OpenSSF Governing Board has sought to ensure it gets adequate input from voices in the software security community who would otherwise not be at the table. We seek candidates for the Security Community Individual Representative (SCIR) who can represent those voices, while also being a subject matter expert in the field with their own set of perspectives. Familiarity with the different OpenSSF working groups and projects, and being able to dedicate the time to be sufficiently informed on the issues that arise in our monthly calls and ongoing discussions, is highly desired. It is also highly desired, but not required, that the SCIR be a contributor and thus eligible to vote in the election.
      • Deadline: March 12, 2022
      • SCIR Candidate Self-Nomination Form
  • Seeking a WG Backlog Warden to help us organize & prioritize our work streams
    • Work estimate: 1h/month, lightweight
    • Tasks:
      • Review Issues & PRs
      • Bring items to WG that need attention
      • Help clean out cruft & keep us moving forward!
    • Earn amazing accolades from your peers and oss-friends!
      • All: y-ay.
    • How? → ping CRob on slack
  • APAC call update - on 23Feb met with two gents from the OSV project. Good convo. Seeking ways we can all better collaborate together.
    • TZ challenges; most of OSV is in Australia.
    • Zoom chat: once a month planned - next call last week of March,.. See the calendar.
      • todo(CRob): add the entry in the shared calendar.
  • OpenVEX with the Dans!!
    • DL: ZOOM security update, brb.
    • See presentation at minute 14 (until min 44) of the meeting recording.
    • OSV blog post recently published about Automating and Scaling Vex Generation: https://osv.dev/blog/posts/automating-and-scaling-vex-generation/
    • Questions phase:
      • Jeffrey Borek: some outreach has been done with vendors on this. What is the situation w.r.t. Working across boundaries and groups on these standards? Does this risk getting the industry more confused / fragmented? Clients/Customers tend to be overwhelmed by a new tech/approach every 4 weeks, is this yet another thing we are adding on the OpenSSF agenda, or is this something we are early enough in the intro process here to have some sort of alignment?
        • DL: ISO?IETF? - yes - my understanding is that the CISA working group was to define an understanding, not the format. Yes we would like this to be proposed as an international standard. Waiting on general consensus .
        • Art Manion: correct, the CISA work will publish a document “any day now” on the requirements, not a prescriptive list of items or implementations.
        • JB: thank you, it helps, but it won’t solve the customer problem…
        • DL: correct, we understand that… we do think VEX + SBOM will be important for customers though. They will lead to cost, and confusion… hopefully scanners can obfuscate this away.
      • Jay White: Regarding pushing this as a standard, starting here in the OpenSSF is a good place to start that process. The OpenSSF is a good group to start that collaboration and contribution.
        • DL: yes, that’s what we’d like to do.
        • CRob: what would you like for us to assist with?
        • DL: We’d like the OpenVEX to be added to this WG
          • Follow the intro process
          • Be adopted, become a standard.
        • CRob: arright! We’ll start the process and create an issue to discuss this on GH.
        • FP: timeline for adoption?
          • Whenever.
        • CRob: excellent - we’ll set this up.
  • Vulnerability disclosure
  • Auto SIG

Opens

Meeting Notes

Sub-Projects

(leads, please enter updates to inform full group; highlight anything for larger group discussion)

OSS-SIRT SIG - [Plan](https://github.com/ossf/SIRT/tree/main/plan)
  • Plan is moving to GB Funders review!
CVD Guide for Consumers - Issue [115](#115)
  • Organizing ToC/topics for guide & seeking participants
CVE Autofix - Issue [123](#123)

Meeting Notes:

20230301 - Autofix SIG

Attendees

(please Mark your name is black if you are here, or add-row name/email/affiliation if joining)

Name Email Affiliation Pronouns GH ID
CRob [email protected] Intel/OSSF he/him SecurityCRob
Jonathan Leitschuh* [email protected] Open Source Security Foundation - Alpha Omega he/him Jlleitschuh
Kasimir Schulz [email protected] (Trellix) he/him
Munawar Hafiz [email protected] OpenRefactory
Matt Smith (Google)
Yesi LF/A-O

Meeting Agenda

  • New Friends intros
  • Who wants to help out and scribe for us today?
  • Opens

Meeting Notes

  • Intros, new friends all get to know a bit about each other
  • Purpose - to discuss best practices about how to automate the disclosure of vulns within oss (and not upset the maintainers too much)
  • Desire to minimize the likelihood of making maintainers upset and getting banned by environments like GitHub, bitbucket. Gitlab
  • Is drawing up a list of requirements for campaigns:
    • Specification: OpenSSF Compliant Automated Vulnerability Fix Campaign
    • JL is seeking feedback from this crew (please note who is logging feedback [log into google please) (outline to follow)
      • High level - any vuln that is fixed at scale should be fixed upstream
      • Mandatory private disclosure timeframe
      • Messaging requirements of data that must be included in PR
      • Origin requirements (must come a from a real person, not a robot)
      • Suggestions around targeting certain source code
      • Commit msg format specs
      • Host coordination
      • Offering disclosure assistance to maintainer if they desire
    • Does anyone see anything initially glaringly missing or wrong? (understanding this is the first look at the doc)
      • Kasimir notes: commit msg format, gpg signing
      • Munawar questions: has been manually doing this; doing this at a small level is hard. Is there another way they could do some of these things? How do you automate private vuln reports? Doing 20 projects seems like A LOT. JL - it has been best effort. There is a guide for reporters from OSSF that can provide some insights to researchers JL - has been signing things himself, but since work is shifting to the A-O project there are some complications with LF legal to work through around signing. JL & OSSF is working through ways to do.
      • CJM - could you grant explicit terms along with PR for CLAs that have been approved in the past? JL - the maintainers typically are not lawyers and may not have access to lawyers for this. JL - what is the upper level of CLAs MH has signed (10-15 on good days, 5-7 normally) MH says his company is shifting to person-owned acct as opposed to an org one to reduce friction with devs. JL - wondering on how to address “the bus factor”...would existing prs need ot be regen’ed, would having dupe prs be a big challenge? MH - pr’s have a lifecycle
      • JL - A-O is developing a portal to aggregate output of scanners/tools to have a “single pane of glass”
      • JL - will be sharing doc through vuln-disc wg mailing list & Slack channel after making github issue in wg repo
      • researcher s mostly have been working with github for these issues.
      • Is anyone engaged in this work in an active campaign they’d be interested in discussing?
        • MH - interested in SQL injection.
          • JL has some early code, but has not recently worked on it
          • JL is interested in data flow/control flow analysis. CodeQL does this currently. Implementation will be difficult. Glad to share as able to work on further
        • JL - there is a proposal to fix the cve-2007-4559 vuln that Kasimir may be interested to look at
        • JL - campaigns have been historically one-offs. Is anyone running regular campaigns or one-offs? MH - has been on a rolling basis; as new reports come in that may invalidate earlier ones they update their analysis and effort starts again. Not really structures. There are too many bugs to effectively handle
          • JL - are these shared via PRs (yes, sometimes dev asks for an issue, not a PR)
          • KS - same. One-offs
        • JL has plans for several automatic campaigns that will be put into place
    • After doc is reviewed by this group, JL would like to get feedback from maintainers (apache commons perhaps as one group)
      • MS - is there potential for different groups using different tooling? If folks follow the spec, how will campaigns be coordinated to ensure devs aren’t flooded? JL- hopes this group can help coordinate that MS - perhaps researchers should register their campaigns to minimize the reports at once MH - would need a central place the data would come into for folks to understand overlap is occurring.
      • MH - another question - because we are bulk generating things, it is hard to track the status of the pull requests. Is there any techniques or tools to manage this? How many of these bulk prs have been merged? KS - his campaign submitted over 60k requests, but a good amount have been merged. With limited resources, some emails were dropped. Hard to keep balance. JL - varying merge rates, most successful one took 4 years to get to 40% merges. JL uses a gh tracking issue for campaigns. Api can be scraped to backtrack prs.
  • Goals - the spec doc, coordination of campaigns to avoid overlap, …what else are we interested in?
    • MS - systemization of the patching of the vulns once they have been disclosed. Standardization of the metadata between campaigns so info can be inspected by other tooling JL - item #3 touches on this point
    • MS - is there a way to systematically ID that a patch is for security? JL - we maybe could leverage the GSD

20230223 - APAC CALL

Attendees

(please Mark your name is black if you are here, or add-row name/email/affiliation if joining)

Name Email Affiliation Pronouns GH ID
CRob [email protected] Intel/OSSF he/him SecurityCRob
Andrew Pollock [email protected] Google/OSV he/him andrewpollock
Oliver Chang [email protected] Google he/him oliverchang
Jonathan Leitschuh [email protected] Open Source Security Foundation He/Him JLLeitschuh

Meeting Agenda

Opens

Meeting Notes

Sub-Projects

(leads, please enter updates to inform full group; highlight anything for larger group discussion)

OSS-SIRT SIG - [Plan](https://github.com/ossf/SIRT/tree/main/plan)
  • Plan under review/comments from TAC. So far, 4 members have expressed a desire to move it forward to the GB
    • Committee will determine the process to move this forward to the GB
    • We will need something simpler for the GB, probably an exec-level slide preso
    • CRob will let us know when the wheels start turning
CVD Guide for Consumers- Issue [115](#115)
Autofix SIG - Issue [123](#123)
  • Meeting time selected: Wednesday 4:00 to 5:00 PM EST

Meeting Notes:

20230222

Attendees

(please Mark your name is black if you are here, or add-row name/email/affiliation if joining)

Name Email Affiliation Pronouns GH ID
CRob [email protected] Intel/OSSF he/him SecurityCRob
Randall T. Vasquez [email protected] Gentoo he/him
Jay White [email protected] Microsoft he/him camaleon2016
Noah Spahn [email protected] Open University noah-de
Brian Behlendorf [email protected] LF/OpenSSF he/him brianbehlendorf
Art Manion [email protected] zmanion
Jonathan Leitschuh [email protected] Open Source Security Foundation He/Him JLLeitschuh
Avishay Balter [email protected] Microsoft He/Him

Meeting Agenda

Opens

Meeting Notes

Sub-Projects

(leads, please enter updates to inform full group; highlight anything for larger group discussion)

OSS-SIRT SIG
  • Plan under review/comments from TAC. So far, 4 members have expressed a desire to move it forward to the GB
CVD Guide for Consumers - Issue [115](#115)
Autofix SIG - Issue [123](#123)
  • Meeting time selected: Wednesday 4:00 to 5:00 PM EST

Meeting Notes:

20230208

Attendees

(please Mark your name is black if you are here, or add-row name/email/affiliation if joining)

Name Email Affiliation Pronouns GH ID
CRob [email protected] Intel/OSSF he/him SecurityCRob
Madison Oliver [email protected] GitHub she/her taladrane
Jonathan Leitschuh [email protected] Open Source Security Foundation He/Him JLLeitschuh
Nathan Menhorn (AMD)
Arun S M [email protected] Walmart he/him arsulegai
Jason Keirstead [email protected] IBM he JasonKeirstead
Avishay Balter [email protected] Microsoft he/him
Bradford Bartlett Sonos (representing myself)
Art Manion [email protected] zmanion
Yesenia Yser [email protected] Linux Foundation cyberjiujiteira
Paulo F Smorigo [email protected] Canonical he/him pfsmorigo
Arnaud Le Hors [email protected] IBM he/him lehors
Munawar Hafiz [email protected] OpenRefactory he/him munahaf

Meeting Agenda

Opens

Meeting Notes

  • The TAC agreed to provide feedback on the SIRT team. Hopefully that will start getting in during the coming week.
  • An OSSF day in OSS NA was announced yesterday at TAC meeting. Encourage everyone to file in CFP.
  • First APAC friendly meeting took place with low attendance, partly due to a public holiday in AU at that date.
  • The OSV team is based in Australia so we are hoping to better collaborate with them with the APAC friendly meeting.
  • OpenVEX discussion is postponed to the next meeting of this group due to conflict of meetings by the maintaining team.
  • Proposed projects. We are interested in picking one or two of the list to get participation and start work on them.
    • Incident response playbook (#113) *
    • OSS consumer VDC guide (#115) *
    • Enabling the existing guides, github actions, tooling, etc. (#116) *
    • Anengalize the existing guides and work (#121)
    • Official Secuirty.md and official disclosure process for the foundation(#122) *
    • How finders can share practices and tools/automations between them (#123)
      • Has its own channel already.
      • Doodle link included above (opens section) for the group’s meeting time
  • Question in chat: Do we have a single place/repository to look for all reported/known vulnerabilities across domains/projects/foundations? Automation tool will be next step
    • Alpha omega are working with github, in the context of their finding, to perhaps keep that as part of github advisories.
  • Can hyperledger/blockchain technologies be used in the context of vulnerability disclosure, and in multi participants VD.
    • Hyperledger system is designed to marintain securely data such as that is required for VDs and CVEs
    • CVSS is designed for maintaining vulnerability scoring with the ability to allow or limit changes to the severity.
    • Perhaps the attestation work that alpha omega is leading can benefit from hyperledger tech.

Sub-Projects

(leads, please enter updates to inform full group; highlight anything for larger group discussion)

OSS-SIRT SIG

20230126 - APAC CALL

Attendees

(please Mark your name is black if you are here, or add-row name/email/affiliation if joining)

Name Email Affiliation Pronouns GH ID
CRob [email protected] Intel/OSSF he/him SecurityCRob
Munawar Hafiz [email protected] OpenRefactory he/him munahaf

Meeting Agenda

  • New Friends intros
  • Who wants to help out and scribe for us today?
  • Opens
  • Report from OSS-SIRT SIG Sections
  • Discuss past/current WG projects
    • CVD Guides
      • Maintainers
      • Finders/Security Researchers
      • Consumers (new!)
    • Automation of tooling to empower CVD guides (new!)
    • OSS-SIRT SIG
    • OSV (ish)
    • VEX (new?) (see 25jan2023 notes for details)
  • Discuss options for next group project/future work for WG

Opens

  • Creating a sub-working group regarding automated vulnerability fixing at-scale - Issue 123
  • Creating an outgoing vulnerability disclosure policy for the Alpha Omega project - Issue 122

OSS-SIRT SIG Section Team Activities

  • Full SIG (CRob)
    • TAC reviewing - Issue 131

Meeting Notes:

  • Note that there is minimal options to engage with OSSF during APAC tzs

20230125

Attendees

(please Mark your name is black if you are here, or add-row name/email/affiliation if joining)

Name Email Affiliation Pronouns GH ID
CRob [email protected] Intel/OSSF he/him SedcurityCRob
Madison Oliver [email protected] GitHub she/her taladrane
Randall T. Vasquez [email protected] Gentoo he/him
Nathan Menhorn [email protected] (AMD) nathan-menhorn
Hart Montgomery [email protected] Linux Foundation he/him hartm
Dan Luhring [email protected] Chainguard he/him luhring
Jay White [email protected] Microsoft He/him Camaleon2016
Art Manion [email protected] zmanion
Allan Friedman [email protected] CISA He/him allanfriedman
Arnaud Le Hors [email protected] IBM he/him lehors

Meeting Agenda

  • New Friends intros

  • Who wants to help out and scribe for us today?

  • Opens

  • Discuss options for next group project/future work for WG

    • Open Source Cert SIG sent for approval and Rob will report back status
    • New instance of this meeting, last Thursday of every month with an APAC friendly time 6pm EST

  • VEX - Vulnerability Exploitability eXchange - expressing affectedness thru electronic advisories (Dan Luhring)

      Intro

  * Current tools spreadsheets for tracking issues and not very efficient
  * Machine readable way of analyzing vuln scanning results

  • New APAC monthly call starting 26Jan @6pm EST

Opens

  • Potentially create a sub-working group of automated vuln fixing at scale - maybe disclosure as well and creating norms around this
    • ( ) Jonathan - create an issue for this in order to collect feedback
    • Is this under Alpha-Omega already? It does some of this but other companies are working on this issue as well. Additionally, AO is not a working group.
    • ( ) Jonathan - create a slack channel for this
      • Send a note to operations@openssf and cc: Crob
  • AO needs a disclosure policy for outgoing reports

OSS-SIRT SIG Section Team Activities

  • Full SIG (CRob)
    • TAC reviewing - Issue 131, no updates atm

Meeting Notes:

20230111

Attendees

(please Mark your name is black if you are here, or add-row name/email/affiliation if joining)

Name Email Affiliation Pronouns
CRob [email protected] Intel/OSSF he/him
Madison Oliver [email protected] GitHub
Jonathan Leitschuh [email protected] (OSSF/LF - Project Alpha Omega & Dan Kaminsky Fellowship - HUMAN) he/him
Avishay Balter [email protected] (Microsoft ) He/him
Jay White [email protected] (Microsoft) He/him
Yesenia Yser [email protected] Linux Foundation
Art Manion [email protected]
Sandipan Roy [email protected] Red Hat He/Him

Meeting Agenda

Opens

OSS-SIRT SIG Section Team Activities

  • Full SIG (CRob) *

Meeting Notes:

Attendees

(please Mark an “X” next to your name if you are here, or add-row name/email/affiliation if joining)

Name Email Affiliation Pronouns GH ID
CRob [email protected] Intel/OSSF he/him SecurityCRob
David A. Wheeler [email protected] Linux Foundation
Madison Oliver [email protected] GitHub she/her taladrane
Jennifer Mitchell [email protected] Tidelift
Andrew Pollock [email protected] Google he/him andrewpollock
Jonathan Leitschuh [email protected] Independent He/Him Jlleitschuh
Yesenia Yser [email protected] OpenSSF, Alpha-Omega cyberjiujiteira
Yotam Perkal (Rezilion)
Crystal Hazen (HackerOne)
Randall T. Vasquez [email protected] Gentoo he/him
Eric Hatleback (CERT/CC)
Kayla Underkoffler (HackerOne)
Francis Perron (Independent) u269c
Anne Bertucio (Google)
Nathan Menhorn (AMD)
Eric Tice (Wipro)
Andres Orbe [email protected] he/him AOrps
MegaZone (aka MZ) (F5, Inc.)
Art Manion [email protected] zmanion
Jay White Microsoft
Josh Buker [email protected] Cloud Security Alliance he/him joshbuker
Nicole Schwartz [email protected] ActiveState she/her NicoleSchwartz/CircuitSwan
Noah Spahn [email protected] The Open University noah-de
Ixchel Ruiz [email protected] JFrog she/her ixchelruiz
Chris de Almeida [email protected] IBM he/him ctcpip

Meeting Agenda

  • Who wants to help out and scribe for us today?
  • New Friends intros
  • Opens
  • Updates from Sub-Projects

Opens

Meeting Notes

Sub-Projects

(leads, please enter updates to inform full group; highlight anything for larger group discussion)

OSS-SIRT SIG - [Plan](https://github.com/ossf/SIRT/tree/main/plan)
  • On hold, pending funding approval
CVD Guide for Consumers - Issue [115](#115)
  • Seeking contributors to work on document
Autofix - Issue [123](#123)

OpenVEX SIG

OSV Project

Meeting Notes:

- Autofix SIG

Attendees

(please Mark an “X” next to your name if you are here, or add-row name/email/affiliation if joining)

Name Email Affiliation Pronouns GH ID
CRob [email protected] Intel/OSSF he/him SecurityCRob
Jonathan Leitschuh [email protected] OpenSSF He/Him Jlleitschuh
Yesenia Yser [email protected] OpenSSF, Alpha-Omega cyberjiujiteira
Yotam Perkal (Rezilion)
Andres Orbe [email protected] he/him AOrps
Josh Buker [email protected] Cloud Security Alliance he/him joshbuker
Saumya Navani [email protected] OpenSSF he/him Saumyanavani
Sully Martinez [email protected] OpenSFF she/her
Tim te Beek [email protected] Moderne he/him timtebeek
Jordan Harband [email protected] he/him LJHarb
Aaron Blume [email protected] Alpha-Omega he/him aaronist
Michael Scovetta [email protected] Microsoft he/him scovetta
Munawar Hafiz [email protected]

Meeting Agenda

  • New Friends intros *
  • Who wants to help out and scribe for us today?
  • Opens