Create 2025-Q3-VD-WG.md #515
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,37 @@ | ||
| # 2025 Q3 Vulnerability Disclosure WG | ||
|
|
||
| ## Overview | ||
|
|
||
| The Vulnerability Disclosures WG is actively engaged in improving the overall security of the OSS ecosystem by advancing vulnerability reporting and communication. Our community continues to see consistent engagement, with new contributors joining recent calls from organizations like Microsoft, OWASP, and Erlang Ecosystem Foundation, indicating a healthy and growing interest. Latest news includes ongoing efforts to clarify CVE publication for unreleased software and to better integrate VEX into vulnerability management. | ||
|
|
||
| The APAC timed meeting has continued to increase in attendance since the last TAC WG update, from as low as 2 participants earlier this year to being between 5-8 participants for the last three months. There is an opportunity to increase engagement in this meeting. | ||
|
|
||
| The AMER timed meeting has continued to maintain good participation and engagement, median of 10 participants with a low of 7 and a high of 15. | ||
|
|
||
| ## Activity #1: OSV Project Schema Graduation | ||
|
|
||
| * **Purpose:** The OSV (Open Source Vulnerability) schema existed prior to the current OpenSSF project maturity model. The purpose of this activity is to formally bring the OSV project schema into compliance with OpenSSF's "graduated" security requirements, ensuring its continued robustness and alignment with broader community standards. | ||
| * **Current Status:** We are actively working on the graduation application, which includes addressing various security requirements from the OpenSSF security baseline. A GitHub Project has been created to track the application process, and a draft [pull request](https://github.com/ossf/tac/pull/456) is being worked on in the OpenSSF TAC repository. Discussions are ongoing with Google regarding the resolution of outstanding issues related to the schema. | ||
| * **Up Next:** The immediate next steps involve continuing to address any remaining requirements for graduation, including potentially reducing the number of repository administrators to a maximum of three once the application is completed and [implementing the security baseline](https://github.com/ossf/osv-schema/issues?q=state%3Aopen%20label%3A%22security%20baseline%22). We also aim to onboard at least one new home database to the OSV ecosystem and maintain alignment with industry standards throughout this process. | ||
| * **Questions/Issues for the TAC:** No specific questions or issues for the TAC at this time, as the process is progressing as planned. | ||
|
|
||
| ## Activity #2: [CVD Guide for Consumers](https://github.com/ossf/wg-vulnerability-disclosures/issues/115) | ||
|
|
||
| * **Purpose:** To develop a comprehensive guide for open source consumers to effectively understand and engage with upstream project vulnerability disclosures. This guide aims to improve how downstream users interact with vulnerability information and contribute to a more secure ecosystem. | ||
| * **Current Status:** The outline for the consumer-focused guide is complete. This effort predates the CRA, but there is interest in developing a separate guide for downstream manufacturers in the future. Discussion has included clarifying the scope and target audience, considering whether it should be a formal guide or a blog series, and reviewing existing resources like the CERT/CC Guide to CVD. | ||
| * **Up Next:** We are actively seeking additional contributors to help complete the document. The next phase involves drafting the content based on the established outline and incorporating feedback from the community to ensure its practicality and usefulness. | ||
| * **Questions/Issues for the TAC:** No specific questions or issues for the TAC at this time, but we welcome any suggestions for potential contributors or resources. | ||
|
|
||
| ## Activity #3: Handling CVEs for Unreleased Software | ||
|
|
||
| * **Purpose:** To address the complexities and potential issues arising from the publication of CVEs for unreleased or development-branch code. This includes developing clearer guidance for CNAs and maintainers on how to accurately report and communicate such vulnerabilities, and to prevent false positives for released software versions. | ||
| * **Current Status:** This topic has been a significant point of discussion in multiple working group meetings. A specific incident (CVE-2025-6494) highlighted the problem where a CVE published for an unreleased commit incorrectly flagged all versions of the software as vulnerable. Discussions have explored whether additional CVE rules or guidance are needed, how to leverage the CVE schema’s "Git" versioning to specify affected commit ranges, and the distinction between vulnerabilities in "unreleased" software versus those found in bundled or repackaged contexts. The OSV project has also made a decision to change how disputed CVEs are handled, to prevent automatic withdrawal in the conversion process. | ||
| * **Up Next:** Chris de Almeida will create an issue in the working group's repository to continue the discussion asynchronously and formalize potential recommendations. This will involve exploring best practices for providing versioning in CVEs to avoid false positives and considering what guidance might be beneficial for maintainers regarding security work and when it is appropriate to publicize an issue. We will also explore how the OSV database could better support this. | ||
| * **Questions/Issues for the TAC:** We are considering whether the CVE rules could benefit from additional guidance or "shoulds" (as opposed to "must nots") regarding CVE publication for unreleased code, especially given the nuances of open-source development and distribution. We will keep these questions in mind as the OSSF and LF continue to discuss a global open source vulnerability database (next initiative). | ||
|
|
||
| ## Activity #4: Advise on Global Vulnerability Intelligence Platform | ||
|
|
||
| * **Purpose:** To explore and support the development of a global platform for vulnerability intelligence, aiming to provide a more federated and comprehensive approach to vulnerability reporting and data sharing. This initiative seeks to address current challenges in obtaining all vulnerability details from disparate sources and to foster better coordination across the industry. | ||
| * **Current Status:** A dedicated group is forming around this initiative (https://github.com/ossf/wg-vulnerability-disclosures/issues/162), with an open planning meeting already held to discuss initial requirements and gather input. Reference materials have been shared, and there's active discussion regarding recent developments around the CVE Foundation, the potential emergence of the EU MVD, and the desire for a more unified global approach. The working group has concluded that it will support this work. | ||
| * **Up Next:** The group plans to continue regular meetings to define the initial requirements for the platform. There's also an intention to invite GCVE (Global Cyber Vulnerability Economy) representatives to a WG meeting to foster cooperation and alignment with entities working on similar problems, such as the National CERT of Luxembourg. | ||
| * **Questions/Issues for the TAC:** We believe a common API and a standardized way to disclose reports are crucial for effective global vulnerability intelligence. We would appreciate the TAC's support in advocating for such common standards and exploring ways to encourage broader adoption. | ||
|
Contributor
There was a problem hiding this comment. The Global Cyber Policy and/or ORBIT WGs could possibly offer support here as well. |
||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@taladrane: on the topic of VEX, is the group planning to evolve/graduate OpenVEX?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just a kind reminder. Thanks, @taladrane!