oss-vulnerability-guide
oss-vulnerability-guide copied to clipboard
ossf
A guide on coordinated vulnerability disclosure for open source projects. Includes templates for security policies (security.md) and disclosure notifications.
While reading the maintainer guide, I noticed an error in the Markdown format that makes it really difficult to read in the GitHub user interface: 
We have a (still) PoC tool called [disclosure-check](/ossf/disclosure-check), intended to help finders locate the best way to privately contact a maintainer.  It looks through SECURITY.md, Security Insights, package metadata,...
also https://cve.mitre.org/cve/request_id.html is obsolete I think it's https://www.cve.org/PartnerInformation/ListofPartners now
Should #7 (If applicable) Notify providers under embargo ======= be consumers?
We should discuss releasing details about vulnerabilities. Something like this: The main goal in fixing vulnerabilities is to minimize harm. Developers should try to fix the problem expeditiously, and normally...
Surfacing a recent discussion from the Vulnerability Disclosures WG Slack and the APAC Vulnerability Disclosures WG monthly meeting... Questions to be answered: - What should the disclosure policy be for...
