Re: Siren by OpenSSF
I signed up too. J. On Wed, May 29, 2024 at 10:43 AM Arnout Engelen wrote: > (adding security-disc...@community.apache.org for visibility) > > Looks interesting, I signed up. > > As this is a post-disclosure channel, ideally we don't really expect to > learn about new vulnerabilities here, but there's a couple of ways I think > it could be useful: > > For discussions around issues in our own projects: > * we could monitor they indeed map to disclosures we published and flag > 'rogue' publications > * we could learn about how we could improve our messaging > * we could consider proactively sending our advisories to Siren (like we do > to oss-security), I'll get in touch with them on whether and how that's > welcome. > > For discussions around issues in our dependencies: > * perhaps we could use Siren as an extra signal to highlight particularly > serious issues, as generally monitoring advisories for dependencies has a > low signal-to-noise ratio ( > > https://cwiki.apache.org/confluence/display/SECURITY/Dealing+with+security+advisories+for+dependencies > ), > so it's not obvious how to do this effectively. > > > Kind regards, > > Arnout > > On Wed, May 29, 2024 at 4:31 AM Roman Shaposhnik wrote: > > > This seems like a pretty useful service for getting early > > signals around disclosures and such. Given how many > > projects in the supply chain they are tracking are from > > the ASF I wonder if we need to be on a receiving end > > of it either via security@a.o or some other way? > > > > > https://openssf.org/blog/2024/05/20/enhancing-open-source-security-introducing-siren-by-openssf/ > > > > Thoughts? > > > > Thanks, > > Roman. > > > > - > > To unsubscribe, e-mail: dev-unsubscr...@community.apache.org > > For additional commands, e-mail: dev-h...@community.apache.org > > > > > > -- > Arnout Engelen > ASF Security Response > Apache Pekko PMC member, ASF Member > NixOS Committer > Independent Open Source consultant >
Re: Siren by OpenSSF
(adding security-disc...@community.apache.org for visibility) Looks interesting, I signed up. As this is a post-disclosure channel, ideally we don't really expect to learn about new vulnerabilities here, but there's a couple of ways I think it could be useful: For discussions around issues in our own projects: * we could monitor they indeed map to disclosures we published and flag 'rogue' publications * we could learn about how we could improve our messaging * we could consider proactively sending our advisories to Siren (like we do to oss-security), I'll get in touch with them on whether and how that's welcome. For discussions around issues in our dependencies: * perhaps we could use Siren as an extra signal to highlight particularly serious issues, as generally monitoring advisories for dependencies has a low signal-to-noise ratio ( https://cwiki.apache.org/confluence/display/SECURITY/Dealing+with+security+advisories+for+dependencies), so it's not obvious how to do this effectively. Kind regards, Arnout On Wed, May 29, 2024 at 4:31 AM Roman Shaposhnik wrote: > This seems like a pretty useful service for getting early > signals around disclosures and such. Given how many > projects in the supply chain they are tracking are from > the ASF I wonder if we need to be on a receiving end > of it either via security@a.o or some other way? > > https://openssf.org/blog/2024/05/20/enhancing-open-source-security-introducing-siren-by-openssf/ > > Thoughts? > > Thanks, > Roman. > > - > To unsubscribe, e-mail: dev-unsubscr...@community.apache.org > For additional commands, e-mail: dev-h...@community.apache.org > > -- Arnout Engelen ASF Security Response Apache Pekko PMC member, ASF Member NixOS Committer Independent Open Source consultant
Siren by OpenSSF
This seems like a pretty useful service for getting early signals around disclosures and such. Given how many projects in the supply chain they are tracking are from the ASF I wonder if we need to be on a receiving end of it either via security@a.o or some other way? https://openssf.org/blog/2024/05/20/enhancing-open-source-security-introducing-siren-by-openssf/ Thoughts? Thanks, Roman. - To unsubscribe, e-mail: dev-unsubscr...@community.apache.org For additional commands, e-mail: dev-h...@community.apache.org