Skip to content

Latest commit

 

History

History
40 lines (30 loc) · 2.69 KB

README.md

File metadata and controls

40 lines (30 loc) · 2.69 KB

Package Vulnerability Management & Reporting Collaboration Space

Mission Statement

Today maintainers deal with a significant influx of issues, PRs (re. updating dependencies) & broader comms when a new CVE is reported on a popular library in our ecosystem. Many of these are being considered "false positives" from an impact/vulnerability perspective. This level of noise creates distrust in the relationships between security companies/researchers, maintainers, & the collective end-users/consumers.

By creating a neutral forum to discuss & ideate across this ecosystem's stakeholders, we hope to improve CVE reporting & resolution workflows; Minimizing burden on maintainers & noise for consumers.

Examples of desired or successful outcomes from this discourse/space:

  • Improved delineation of domains & controls
  • Improved communication between maintainers & security researchers/organizations
  • Improved tooling for package auditing, resolution & management as a whole
    • ex. package maintainers have a mechanism to flag/counterclaim vulnerability reports of dependencies that do not affect their own usage/workflows
    • ex. end-users have a mechanism to more granularly control the visibility of the vulnerability reports of their dependencies (including filtering on flags/counterclaims)

Collaboration Space Members

In-Flight Intiatives

  • Submit & get accepted a proposal for dedicated Collaboration Space
  • Creation of a dedicated repository within the openjs-foundation GitHub Organization
  • Creation of a channel within the Foundation's Slack Organization
  • Determine a time for recurring meetings w/ members
  • Setup meeting generation tools to align with existing Foundation best practices
  • Setup Foundation's Zoom & YouTube accounts for streaming

Links & Resources