Package Vulnerability Management & Reporting Collaboration Space

By May 27, 2021Blog

OpenJS Foundation announces first Collaboration Space: Package Vulnerability Management & Reporting

Last year, the OpenJS Foundation announced a new initiative to better align multiple communities on common issues and concerns. Collaboration Spaces are meant to help community-led efforts reach broader audiences and coordinate stakeholders from across the JavaScript ecosystem. We are excited to formally announce our very first Collab Space, Package Vulnerability Management & Reporting, championed by Wes Todd, Senior Software Engineer at Netflix and Darcy Clarke, Engineering Manager of the npm CLI team at GitHub.

When it comes to vulnerability reporting, maintainers must manage many issues – from updating dependencies to broader communications when a new CVE is reported on a popular library in our ecosystem. Many of these are being considered “false positives” from an impact/vulnerability perspective. This level of noise creates distrust in the relationships among security companies/researchers, maintainers, & the collective end-users/consumers.

The Package Vulnerability Management & Reporting Collab Space will create a neutral forum for ecosystem stakeholders to discuss and collaborate with the intention to improve CVE reporting and resolution workflows while minimizing the burden on maintainers quieting noise for consumers. This cross-functional effort has a wide reach and impacts Security Research/Organizations, Package Maintainers, and End-users/Consumers.

The goals of the Package Vulnerability Management & Reporting Collab Space include:

  • Improve delineation of domains & controls
  • Improve communication between maintainers & security researchers/organizations
  • Improve tooling for package auditing, resolution & management as a whole Impact & users of the project

Current Collab Space members include:

  • Darcy Clarke (@darcyclarke) – Champion
  • Wesley Todd (@wesleytodd) – Champion
  • Zbyszek Tenerowicz (@naugtur)
  • Christopher Hiller (@boneskull))
  • Michael Dawson (@mhdawson)
  • Dominykas Blyžė (@dominykas)
  • Jordan Harband (@ljharb)
  • Marcin Hoppe (@MarcinHoppe)

The founding participants of this Collab Space see far-reaching benefits for the entire JavaScript ecosystem. This is of particular importance to the JS community due to the deeply interconnected relationships created with package dependency trees. Additionally, this work can, and does, extend beyond the scope of the JavaScript ecosystem itself. 

If you are interested in participating in the Package Vulnerability Management & Reporting

Collaboration Space, check out their repo on GitHib

Learn more about this new Collaboration Space during OpenJS World where Darcy Clarke, Github and Wes Todd, Netflix, will give the following talk, “Package Vulnerability Management and Reporting Collaboration Space for OpenJS World”

Join the speaker for live Q&A on Slack, channel – #openjs_world-security

  • Wednesday, June 2 from 14:20 – 14:40 PDT /  23:20 – 23:40 CEST
  • Thursday, June 3 from 11:00 – 11:20 PDT /  20:00 – 20:20 CEST