Coordinated Vulnerability Disclosure

30/12/2022 23 min Episodio 17

Listen "Coordinated Vulnerability Disclosure"

Episode Synopsis

Shannon Sabens of CrowdStrike chats with Madison Oliver of GitHub Security Lab about the recent release of OpenSSF’s “Guidance for Security Researchers to Coordinate Vulnerability Disclosures with Open Source Software Projects” document and the important step of obtaining a CVE ID in the coordinated vulnerability disclosure process for open-source vulnerabilities.OpenSSF is a “cross-industry organization that brings together the industry’s most important open source security initiatives and the individuals and companies that support them.” The CVD Guide was released by OpenSSF’s Vulnerability Disclosure working group in September 2022, which in 2021 released its “Guide to Implementing a Coordinated Vulnerability Disclosure Process for Open Source Projects” document, both of which are discussed by Shannon and Madison. Other discussion topics in this episode include the importance of finders (e.g., security researchers, hackers, academics, bug bounty hunters, etc.) in vulnerability management, how finders can expedite their requests to software owners with quality information in their initial requests, OpenSSF’s vulnerability report template and how using it can help with requests, importance of obtaining a CVE ID for open source and all vulnerabilities, best practices for working with CVE Numbering Authorities (CNAs), managing expectations for turnaround times, the CVE Program’s CVE Record Dispute Policy, why all participants should remember that they are interacting with people in all aspects of the vulnerability management process, and more. LINKS:OpenSSF CVD Guide – https://github.com/ossf/oss-vulnerability-guide/blob/main/finder-guide.md#readmeOpenSSF vulnerability report template – https://github.com/ossf/oss-vulnerability-guide/blob/main/templates/notifications/disclosure.md OpenSSF Implementing a CVD Process Guide – https://github.com/ossf/oss-vulnerability-guide/blob/main/maintainer-guide.md#readme CVE Record Dispute Policy – https://www.cve.org/Resources/General/Policies/CVE-Record-Dispute-Policy.pdfCNAs – https://www.cve.org/ProgramOrganization/CNAs

More episodes of the podcast We Speak CVE

The CVE Consumer Working Group (CWG) 14/10/2025

Mapping the Root Causes of CVEs 05/08/2025

25 Years of CVE and What’s Next 04/02/2025

CNA Onboarding Process Myths Versus Facts 01/10/2024

Expected Impact of the CNA Rules 4.0 21/05/2024

Swimming in Vulns (or, Fun with CVE Data Analysis) 29/04/2024

Meet the 3 New CVE Board Members 09/04/2024

CVE Records States and Tags 26/03/2024

The Council of Roots 30/01/2024

How the New CVE Record Format Will Benefit Consumers 26/09/2023

Ver todos los episodios

ZARZA We are Zarza, the prestigious firm behind major projects in information technology.

Coordinated Vulnerability Disclosure

Listen "Coordinated Vulnerability Disclosure"

Episode Synopsis

More episodes of the podcast We Speak CVE

Free Internet, a prediction in Nostradamus style

Subdomains, a glance with the experts!

Bandwidth: Broadband or Narrowband?

Personnel recruitment via Web

Deep web or Invisible Internet

Subdomains, a glance with the experts!

Free Internet, a prediction in Nostradamus style

Educational Technology: From traditional to digital

Localhost, there’s no place like 127.0.0.1

Googling with breathtaking tricks you ignore

Internet Predators on the prowl

Gray Hat Hacking, those with ambiguous ethics…

Dot COM: The Internet’s dominant TLD