Skip to content

Create 2025-Q3-VD-WG.md #515

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Create 2025-Q3-VD-WG.md #515

wants to merge 1 commit into from

Conversation

@taladrane
Copy link
Contributor

@taladrane taladrane commented Sep 2, 2025

Working Group Activities and Updates:

  • OSV Project Schema Graduation: Describes efforts to bring the OSV schema into compliance with OpenSSF's graduated security requirements, including tracking the application process and plans to reduce repository administrators.
  • CVD Guide for Consumers: Details the development of a guide to help open source consumers engage with vulnerability disclosures, with an outline completed and a call for contributors.

Vulnerability Reporting Improvements:

  • Handling CVEs for Unreleased Software: Addresses challenges with CVE publication for unreleased code, discusses schema improvements, and outlines next steps for guidance and best practices.

Global Coordination Initiatives:

  • Advise on Global Vulnerability Intelligence Platform: Summarizes the formation of a group to support a federated vulnerability intelligence platform, ongoing meetings, and the need for common standards and APIs.

@taladrane
Create 2025-Q3-VD-WG.md
fa62de6 
Signed-off-by: Madison Oliver <[email protected]>
@taladrane taladrane requested a review from a team as a code owner September 2, 2025 14:33
gkunz
gkunz reviewed Sep 2, 2025
View reviewed changes
TI-reports/2025/2025-Q3-VD-WG.md

## Overview

The Vulnerability Disclosures WG is actively engaged in improving the overall security of the OSS ecosystem by advancing vulnerability reporting and communication. Our community continues to see consistent engagement, with new contributors joining recent calls from organizations like Microsoft, OWASP, and Erlang Ecosystem Foundation, indicating a healthy and growing interest. Latest news includes ongoing efforts to clarify CVE publication for unreleased software and to better integrate VEX into vulnerability management.
Copy link
Contributor

@gkunz gkunz Sep 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@taladrane: on the topic of VEX, is the group planning to evolve/graduate OpenVEX?

Copy link
Contributor

@gkunz gkunz Oct 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a kind reminder. Thanks, @taladrane!

marcelamelara
marcelamelara approved these changes Sep 9, 2025
View reviewed changes
Copy link
Contributor

@marcelamelara marcelamelara left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @taladrane !

TI-reports/2025/2025-Q3-VD-WG.md
* **Purpose:** To explore and support the development of a global platform for vulnerability intelligence, aiming to provide a more federated and comprehensive approach to vulnerability reporting and data sharing. This initiative seeks to address current challenges in obtaining all vulnerability details from disparate sources and to foster better coordination across the industry.
* **Current Status:** A dedicated group is forming around this initiative (https://github.com/ossf/wg-vulnerability-disclosures/issues/162), with an open planning meeting already held to discuss initial requirements and gather input. Reference materials have been shared, and there's active discussion regarding recent developments around the CVE Foundation, the potential emergence of the EU MVD, and the desire for a more unified global approach. The working group has concluded that it will support this work.
* **Up Next:** The group plans to continue regular meetings to define the initial requirements for the platform. There's also an intention to invite GCVE (Global Cyber Vulnerability Economy) representatives to a WG meeting to foster cooperation and alignment with entities working on similar problems, such as the National CERT of Luxembourg.
* **Questions/Issues for the TAC:** We believe a common API and a standardized way to disclose reports are crucial for effective global vulnerability intelligence. We would appreciate the TAC's support in advocating for such common standards and exploring ways to encourage broader adoption.
Copy link
Contributor

@marcelamelara marcelamelara Sep 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The Global Cyber Policy and/or ORBIT WGs could possibly offer support here as well.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gkunz gkunz gkunz left review comments

@steiza steiza steiza approved these changes

@bobcallaway bobcallaway bobcallaway approved these changes

@marcelamelara marcelamelara marcelamelara approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@taladrane @steiza @bobcallaway @gkunz @marcelamelara