Create 2025-Q1-Vulnerability-Disclosure-WG.md #453
Conversation
Signed-off-by: Madison Oliver <taladrane@github.com>
| - [x] TAC sponsor monitoring and consultation become optional. | ||
|
|
||
| ### Up Next | ||
| - WG Project Board: https://github.com/orgs/ossf/projects/29 |
There was a problem hiding this comment.
I haven't previously see a WG use a project board to track ideas and show what's in progress - very cool!
|
|
||
| ### Up Next | ||
| - WG Project Board: https://github.com/orgs/ossf/projects/29 | ||
| - [Project Idea - CVD Guide for OSS Consumers](https://github.com/ossf/wg-vulnerability-disclosures/issues/115) > effort is stagnating and needs to be revived |
There was a problem hiding this comment.
Not at all urgent, but it would be cool for the Vuln Disclosure WG to have a site like https://best.openssf.org/ or https://repos.openssf.org/ where recommendations were hosted and easily linkable.
There was a problem hiding this comment.
yes absolutely! I would love to make something like that - I have 3 similar issues tracking ~that need with ideas to add common vul disclosure references to our readme and well-known open source disclosure processes as examples elsewhere in our docs, in addition to tracking vul disclosure related policies. I would love to effectively turn these into a site like that! who do I talk to about that?
ossf/wg-vulnerability-disclosures#151
ossf/wg-vulnerability-disclosures#67
ossf/wg-vulnerability-disclosures#73
There was a problem hiding this comment.
I don't remember where I saw this linked, but the information on how to set up those sites is on https://best.openssf.org/spp/Simplest-Possible-Process.
There was a problem hiding this comment.
Great update, @taladrane ! Thank you. I have one suggestion, which isn't a blocker.
| - [VulnCon 2025](https://www.first.org/conference/vulncon2025/), April 7-10 > many WG members planning to attend with some likely speaking | ||
|
|
||
| ### Questions/Issues for the TAC | ||
| - What other areas in the OpenSSF 2025 Roadmap does the TAC see opportunity for the Vulnerability Disclosures working group? Can we support more with CRA guidance? 👀 |
There was a problem hiding this comment.
I'm not directly involved, but I agree that there's an opportunity to collaborate with the Global Cyber Policy WG. Another idea that came to mind because it has come up in discussion a few times is how this WG may engage with the AI/ML Security WG, since guidance on finding and fixing AI/ML-specific vulnerabilities is on the roadmap as well.
This pull request includes updates to the
2025-Q1-Vulnerability-Disclosure-WG.mdfile to provide a comprehensive overview of the Vulnerability Disclosures Working Group's activities and status for Q1 2025.