OpenJS Foundation announces first Collaboration Space: Package Vulnerability Management & Reporting
When it comes to vulnerability reporting, maintainers must manage many issues – from updating dependencies to broader communications when a new CVE is reported on a popular library in our ecosystem. Many of these are being considered “false positives” from an impact/vulnerability perspective. This level of noise creates distrust in the relationships among security companies/researchers, maintainers, & the collective end-users/consumers.
The Package Vulnerability Management & Reporting Collab Space will create a neutral forum for ecosystem stakeholders to discuss and collaborate with the intention to improve CVE reporting and resolution workflows while minimizing the burden on maintainers quieting noise for consumers. This cross-functional effort has a wide reach and impacts Security Research/Organizations, Package Maintainers, and End-users/Consumers.
The goals of the Package Vulnerability Management & Reporting Collab Space include:
- Improve delineation of domains & controls
- Improve communication between maintainers & security researchers/organizations
- Improve tooling for package auditing, resolution & management as a whole Impact & users of the project
Current Collab Space members include:
- Darcy Clarke (@darcyclarke) – Champion
- Wesley Todd (@wesleytodd) – Champion
- Zbyszek Tenerowicz (@naugtur)
- Christopher Hiller (@boneskull))
- Michael Dawson (@mhdawson)
- Dominykas Blyžė (@dominykas)
- Jordan Harband (@ljharb)
- Marcin Hoppe (@MarcinHoppe)
If you are interested in participating in the Package Vulnerability Management & Reporting
Collaboration Space, check out their repo on GitHib.
Learn more about this new Collaboration Space during OpenJS World where Darcy Clarke, Github and Wes Todd, Netflix, will give the following talk, “Package Vulnerability Management and Reporting Collaboration Space for OpenJS World”
Join the speaker for live Q&A on Slack, channel – #openjs_world-security
- Wednesday, June 2 from 14:20 – 14:40 PDT / 23:20 – 23:40 CEST
- Thursday, June 3 from 11:00 – 11:20 PDT / 20:00 – 20:20 CEST