Vulnerability disclosure research

[rarkins]

Is this WG involved in any way in this upcoming vulnerability disclosure survey by GitHub?

[rarkins]

Tweet for context:

[Foxboron]

Nothing in the meetings at least.

[MarcinHoppe]

Not to my knowledge. I will reach out to Hauwa to check if there is any overlap.

[HonkingGoose]

I think I found something relevant in #99 (comment), full quote:

The group would like to develop a CVD guide for OSS projects. The guide should include the CVD process, how to work with security researchers in a CVD setting, and templates for security policies (issue #95).

A fork of Google's CVD for OSS guide has been added here to give a starting base. Please open issues, PRs, and edit away!

The linked ossf/oss-vulnerability-guide repository has a section on Feedback:

Feedback

We welcome feedback from OSS project maintainers and security researchers on this guide. Opening a GitHub Issue is the best way to send feedback (see CONTRIBUTING.md for directions on submitting PRs).

So I think this is where you can contribute as a maintainer or security researcher.

I might be totally wrong though... 🙈 Just wanted to mention what I found, in case it's relevant.

[rarkins]

I think we can close this issue now. The answer appears to be that it was private research which GitHub performed for commercial purposes, not OSSF.