The OpenSSF Vulnerability Disclosures Working Group seeks to help improve the overall security of the open source software ecosystem by helping mature and advocate well-managed vulnerability reporting and communication.

The Vulnerability Disclosure Working group is officially a Graduated-level working group within the OpenSSF >

The OpenSSF Vulnerability Disclosures Working Group seeks to help improve the overall security of the open source software ecosystem by helping develop and advocate well-managed vulnerability reporting and communication. We serve open source maintainers and developers, assist security researchers, and help downstream open source software consumers.

A world where coordinated vulnerability disclosure is a normal, easy, and expected process that is supported by guidance, automation, and tooling for maintainers, consumers, researchers, and vendors, with the goal of making open source software and the open source software supply chain more secure for everyone.

A world where coordinated vulnerability disclosure is:

• a common, easy, and expected process
• supported by well-documented guidance, automation, and tooling for open source maintainers and consumers, security researchers, and vendors
• with the goal of making open source software and supply chains more secure for everyone.

We plan on addressing this challenge through the following actions:

• Documenting and promoting reasonable vulnerability disclosure and coordination practices within the OSS ecosystem for component maintainers and community members by providing documented guidance and educational materials.
• Identifying vulnerability disclosure pain points and incentives for OSS maintainer, consumers, and security researchers and taking steps to address them.
• Facilitate the development and adoption of a standards-based OSS Vulnerability Exchange (VEX) that uses existing industry formats and allows OSS projects of all sizes to be able to report, share, and learn about vulnerabilities within OSS components.

• Evangelize artifacts and tooling from the group through podcasts, conference presentations, blogs, etc. for things like the CVD guides, OSV, & VEX -- Podcasts -- Blogs -- Conferences -- Open office hours to interact with Open Source project managers and help them.
• Support industry-wide vuln coordination efforts with good practices identified by the OSS-SIRT SIG
• Expand use of VEX by upstream projects through the advocacy and use of VEX and VEX-creation tools (such as OpenVEX). Issuance of VEX documents upstream helps the whole ecosystem understand what is needed and how to effectively execute, providing critical vuln affectedness data to downstream consumers so they can understand how to incorporate with other vuln info (CSAF, OSV, SBOM, etc).
• Increase awareness and use of CVD guides, techniques, and tools
• Increase the awareness and use of OSV
• Participate in forthcoming industry “VulnCon” and related conferences to share OSS vuln mgmt perspectives with broad PSIRT/CSIRT/CERT ecosystem
• Provide guidance, documentation, and templates to the OpenSSF and the broader OSS community for use as security policies and vulnerability management processes (security.md, vuln disclosure policy, etc.)

• Guides to coordinated vulnerability disclosure for open source software projects to assist projects in handling vulnerabilities.
• Open Source Vulnerability Schema - see also osv.dev.
• OSS-SIRT SIG (incubating) - SIG dedicated to update of OpenSSF Mobilization Plan Stream 5 working to create upstream open source incident response team.
• Vulnerability AutoFix SIG (incubating) - Group dedicated to finding best practices in disclosing open source vulnerabilities and fixes to projects at scale
• OpenVEX SIG (sandbox)- Group dedicated to OpenVEX and VEX industry work. OpenVEX is an implementation of the Vulnerability Exploitability Exchange (VEX for short) that is designed to be minimal, compliant, interoperable, and embeddable.
• Guide for Open Source Projects to become a CNA

• Unified list of metadata for vulnerability reports and disclosures
• OpenSSF Recommendations for Open Source Software Vulnerability Disclosure Whitepaper (incubating) - a draft longer paper on various related topics

We communicate on the Vulnerability Disclosure mailing list. Manage your subscriptions to Open SSF mailing lists.

Join us on Slack at https://openssf.slack.com/messages/wg_vulnerability_disclosures

• Recent Update to OSSF TAC on WG activities

The working group meets every two weeks, on Wednesdays at 11:00 AM ET / 8:00 AM PT. Currently we are using Zoom for working group meetings. The invite is available on the OpenSSF Community Calendar.

The Working Group will hold a monthly APAC-friendly call at 6:00pm ET / 3:00pm PT the last Thursday of each month. The invite is available on the OpenSSF Community Calendar.

• 2024 Meeting Minutes
• 2023 Meeting Minutes
• 2022 Meeting Minutes
• 2021 Meeting Notes
• Pre 2021 Meeting notes

We use the vulnerability-disclosures-wg GitHub team.

The CHARTER.md outlines the scope and governance of our group activities.

• Lead - Christopher "CRob" Robinson
• Co-Lead - Madison Oliver, GitHub Security Lab
• Backlog Warden -

• Christopher "CRob" Robinson, Intel

• Jonathan Leitschuh, Dan Kaminsky Fellowship - HUMAN
• Madison Oliver, GitHub Security Lab
• David A Wheeler, LF/OSSF
• Randall T. Vasquez (SKF/Gentoo/Homebrew)

• Adolfo García Veytia, Chainguard & OpenVEX
• Andrew Pollock, Google & OSV
• Arnaud Le Hors, IBM
• Art Manion, ANALYGENCE
• Avishay Balter, Microsoft
• Chris de Almeida, IBM
• Jason Keirstead, IBM
• Jay White, Microsoft
• Jeffrey Borek, IBM
• Jennifer Mitchell, Tidelift
• Ixchel Ruiz, JFrog
• Marcus Meissner (SUSE)
• Nathan Menhorn, AMD
• Nicole Schwartz, ActiveState
• Oliver Chang, Google & OSV
• Paulo Flabiano Smorigo (Ubuntu/Canonical)
• Yotam Perkal, Rezilion

A listing of our current and past group members.

Linux Foundation meetings involve participation by industry competitors, and it is the intention of the Linux Foundation to conduct all of its activities in accordance with applicable antitrust and competition laws. It is therefore extremely important that attendees adhere to meeting agendas, and be aware of, and not participate in, any activities that are prohibited under applicable US state, federal or foreign antitrust and competition laws.

Examples of types of actions that are prohibited at Linux Foundation meetings and in connection with Linux Foundation activities are described in the Linux Foundation Antitrust Policy available at http://www.linuxfoundation.org/antitrust-policy. If you have questions about these matters, please contact your company counsel, or if you are a member of the Linux Foundation, feel free to contact Andrew Updegrove of the firm of Gesmer Updegrove LLP, which provides legal counsel to the Linux Foundation.