CRob

> There are so many problem areas along the open source security lifecycle I think making assumptions about precisely what a consume of an open source component is the first...

On 12/18/20 6:53 AM, Marcin Hoppe wrote: > > In the last WG meeting we had an idea of collecting and distilling the > information we've gathered so far in...

Those Product Security teams involved with FIRST will be familiar with the Vulnerability Disclosure SIG's Multiparty Vuln Disclosure guidelines - https://www.first.org/global/sigs/vulnerability-coordination/multiparty/FIRST-Multiparty-Vulnerability-Coordination.pdf Ideally this and other documents can help inform us...

On 2/8/21 6:16 PM, jenniferfernick wrote: > > Hi @MarcinHoppe / @RedHatCRob > > > I'd like to contribute to this whitepaper! However, I haven't > participated in this working...

We're big fans of SCAP/OpenSCAP. OpenSCAP consumes our OVAL data to give an accurate scan of a system for vulns versus many commercial scanners. If not directly part of the...

I've started the outline for the consumer cvd guide: https://docs.google.com/document/d/1aceGbHm_NQWCWRWnoELNLWL-S72CR79CaEA6mnYkyo0/edit We'll start collaborating on this in the coming weeks along with the End Users WG.

While we're working on a disclosure policy for A-O, it would also be useful to collaborate on a stock SECURITY.MD file for use across all foundation projects. that way, we...

I'm getting notes from the recent consult we did with the requested upstream project, but here is a historic blog we wrote as a suggested good practice for upstreams to...

Blog Content: The Open Source Security Foundation (OpenSSF) Developer Best Practices Working Group has undertaken a project to improve the overall security and integrity of critical open source software projects...

I suggest we approve this request until the end of 2025, at which time the project can demonstrate progress and reapply. That would be 15mos x $50/mo = $750 for...