Our vision is an open source software ecosystem where the time to fix a vulnerability and deploy that fix across the ecosystem is measured in minutes, not months.
The first objectives we're using to track our progress towards that vision are:
- Create a unified format and API for vulnerability reporting (from researchers to maintainers) and drive broad adoption of it across the open source software ecosystem
- Create a unified format, API, and process for coordinated disclosure (from maintainers to users/the world) and drive broad adoption
- Unified list of metadata for vulnerability reports and disclosures
- Meeting notes are in this repository
The CHARTER.md outlines the scope and governance of our group activities.
The working group meets every three weeks, on Monday at 7am Pacific. Currently we are using Zoom for working group meetings.
Contact Marcin for calendar details.
Meeting agenda is published prior to the meeting in a GitHub issue with the label meeting. The issue contains agenda items and logistics details like date, time, Zoom link and a link to meeting notes document.
- Leader: Marcin Hoppe (Auth0 / Node.js Ecosystem Security WG)
- Alex Mullans (GitHub)
- Nico Waisman (GitHub)
- Eva Sarafianou (Auth0)
- Crystal Hazen (HackerOne)
- Alex Rice (HackerOne)
- Eric Brewer (Google)
- Steve Dower (Microsoft/CPython)
- Hauwa Otori (GitHub)
- Lindsey Glovin (Uber)
- Sherif Mansour (OWASP)
- Martijn Russchen (HackerOne)
- Ben Willis (HackerOne)
We use the vulnerability-disclosures-wg GitHub team.