The OSS-SIRT SIG (Open Source Software Security Incident Response Team Special Interest Group) is a group working within the OSSF's Vulnerability Disclosure Working Group that is focused on creating secure vulnerability management capabilities within the open source ecosystem to ensure effective coordinated vulnerability disclosure practices (CVD) for all. The group will be a coordinated group of experts from across the industry who will be available to help open source maintainers with all aspects of remediating high-impact security vulnerabilities and related security emergencies
To empower and coordinate open source security teams and open source software projects to be self-sufficient with respect to handling vulnerabilities in their software, and improve itself through lessons learned from its engagement.
The SIRT will respond and collaborate with open source software project's requests for assistance, guidance, and support. Through the SIRT's offerings, open source software projects may expect to receive helpful and inclusive recommendations or direction in the handling, processing, communications, and general management of suspected and confirmed vulnerabilities and findings reported to them, directly or by proxy in a manner that considers the project's existing response processes.
In the course of serving open source projects, the SIRT will consider all information provided, seek to understand any outside influences or additional factors to be considered prior to engaging, and render a decision on engagement and execution accordingly. The SIRT shall balance the needs and constraints of the projects requesting support, as well as the needs of the consumers of those projects to the practical extent possible.
Historically, Open Source maintainers and end users have depended on a circle of trust to distribute and consume Open Source Software safely. Over the last several years, this concept has proven to be problematic and sub-optimal by itself with the increase of attacks targeting open source maintainers as well as the components they create and maintain. Effectively, these problems have illustrated additional effort and work are required to ensure that both Consumers and End Users of maintainers are consuming Open Source Software safely while still, having their needs met with the least friction to their overall intent and objective in maintaining their software. As it presently stands, this type of work traditionally is the responsibility of a project's Maintainer group; however, frequently, the Maintainer(s) already lack sufficient resources to address their own needs adequately let alone take on the additional work being asked of them to develop and provide their open source component in a secure manner acceptable to anyone using it. Piling on more work to the already stressed pipeline and burdened maintainers often results in Security not being prioritized until a Security issue becomes the forefront, which is often too late for a project's Consumers and End Users.
This SIRT's motivation is to make available the incident response resources to assist Open Source Software communities, downstream consumers, and vulnerability management ecosystems in addressing their current and upcoming Security issues, vulnerabilities, incidents, and the processes necessary for their execution. We intend to deliver service offerings to projects that provide an additional support arm against incidents, like log4shell
, which are otherwise not available to these projects. We hope these efforts will assist in addressing critical and time-sensitive Security issues across the Open Source Software communities that participate in the program.
To develop a cohort of trustworthy, vendor-neutral, vetted, well-orchestrated and experienced group of security professionals
EXPRESSLY OUT OF SCOPE:
- Anything involving vulnerabilities in closed-source/proprietary software
- Security improvements to open-source software that are not tactically essential to the patching of newly-reported, high- and critical-impact vulnerabilities in open-source software
- Helping projects or individual enterprises with remediating their security exposures from another open-source project’s security vulnerabilities
The OpenSSF's Mobilization Plan - Stream 5
- Official communications occur on the OSSF OSS-SIRT Mailing list.
Manage your subscriptions to Open SSF mailing lists. - Slack Channels - stream-05-incident-response, wg_vulnerability-disclosures
- The OSS-SIRT proposed plan
- Areas that need contributions
- Comments/feedback on the plan or services you'd like to see the OSS-SIRT offer
- Where to file issues - https://github.com/ossf/SIRT/issues
- Every Tuesday @ 9:00 am EST The invite is available on the OpenSSF Community Calendar.
- 2023 Meeting Minutes are recorded in google docs
- 2022 Meeting Minutes
The CHARTER.md outlines the scope and governance of our group activities.
- David A Wheeler, LF/OSSF
- Emily Fox, Apple, CNCF TOC
- [Eric Tice, WiPro]
- [Jennifer Mitchell, Tidelift]
- Madison Oliver, GitHub Security Lab
- [Marta Rybczynska, OSTC]
- VM Brasseur, WiPro
- Marta Rybczynska
- Art Manion, ANALYGENCE
- [Matt Rutkowski, IBM]
- Avashay Balter, Microsoft
- Arnaud J Le Hors, IBM