(adding security-disc...@community.apache.org for visibility) Looks interesting, I signed up.
As this is a post-disclosure channel, ideally we don't really expect to learn about new vulnerabilities here, but there's a couple of ways I think it could be useful: For discussions around issues in our own projects: * we could monitor they indeed map to disclosures we published and flag 'rogue' publications * we could learn about how we could improve our messaging * we could consider proactively sending our advisories to Siren (like we do to oss-security), I'll get in touch with them on whether and how that's welcome. For discussions around issues in our dependencies: * perhaps we could use Siren as an extra signal to highlight particularly serious issues, as generally monitoring advisories for dependencies has a low signal-to-noise ratio ( https://cwiki.apache.org/confluence/display/SECURITY/Dealing+with+security+advisories+for+dependencies), so it's not obvious how to do this effectively. Kind regards, Arnout On Wed, May 29, 2024 at 4:31 AM Roman Shaposhnik <r...@apache.org> wrote: > This seems like a pretty useful service for getting early > signals around disclosures and such. Given how many > projects in the supply chain they are tracking are from > the ASF I wonder if we need to be on a receiving end > of it either via security@a.o or some other way? > > https://openssf.org/blog/2024/05/20/enhancing-open-source-security-introducing-siren-by-openssf/ > > Thoughts? > > Thanks, > Roman. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@community.apache.org > For additional commands, e-mail: dev-h...@community.apache.org > > -- Arnout Engelen ASF Security Response Apache Pekko PMC member, ASF Member NixOS Committer Independent Open Source consultant
