#FOSSBack: – Preparing for Zero-Day: Vulnerability Disclosure in Open Source Software

Speakers: Anne Bertucio, Jennifer Fernick, Christopher Robinson

Slides and Speaker profile: https://pretalx.com/foss-backstage-2022/talk/R3PVPW/

Open source software is incredibly powerful - and while that power is often used for good, it can be weaponized when open-source projects contain software security flaws that attackers can use to compromise those systems, or even the entire software supply chains that those systems are a part of. The Open Source Security Foundation is an open, cross-industry group aimed at improving the security of the open source ecosystem. In this presentation, members of the OpenSSF Vulnerability Disclosure working group will be sharing with open-source maintainers advice on how to handle when researchers disclose vulnerabilities in your project’s codebase - and we’ll also take any questions you have about this often mysterious topic!

Part 1 of this presentation will give an overview of the basics of Coordinated Vulnerability Disclosure (CVD) for open-source software maintainers, including some basics about security vulnerabilities, how to communicate securely and write patches without leaking vulnerability information, what you can expect during a disclosure with a researcher, and how to handle challenging scenarios like when you can’t patch, when a vulnerability is already being exploited by a threat actor in the wild, or when a vulnerability impacts many downstream dependencies.

Part 2 of this presentation will include a discussion about vulnerability disclosure best practices, pitfalls, and challenges. We will also welcome questions from the audience - ask us anything about dealing with vulnerabilities in open source!
###

Follow us on Social Media and join the Community!
Twitter: https://twitter.com/fossbckstg
LinkedIn: https://www.linkedin.com/showcase/68797995/

Website: https://foss-backstage.de
Mail: [email protected]


FOSS Backstage is an event by Plain Schwarz – https://plainschwarz.com