Today maintainers deal with a significant influx of issues, PRs (re. updating dependencies) & broader comms when a new CVE is reported on a popular library in our ecosystem. Many of these are being considered "false positives" from an impact/vulnerability perspective. This level of noise creates distrust in the relationships between security companies/researchers, maintainers, & the collective end-users/consumers.
By creating a neutral forum to discuss & ideate across this ecosystem's stakeholders, we hope to improve CVE reporting & resolution workflows; Minimizing burden on maintainers & noise for consumers.
Examples of desired or successful outcomes from this discourse/space:
- Improved delineation of domains & controls
- Improved communication between maintainers & security researchers/organizations
- Improved tooling for package auditing, resolution & management as a whole
- ex. package maintainers have a mechanism to flag/counterclaim vulnerability reports of dependencies that do not affect their own usage/workflows
- ex. end-users have a mechanism to more granularly control the visibility of the vulnerability reports of their dependencies (including filtering on flags/counterclaims)
- Darcy Clarke (@darcyclarke) - Champion
- Wesley Todd (@wesleytodd) - Champion
- Zbyszek Tenerowicz (@naugtur)
- Christopher Hiller (@boneskull))
- Michael Dawson (@mhdawson)
- Dominykas Blyžė (@dominykas)
- Jordan Harband (@ljharb)
- Marcin Hoppe (@MarcinHoppe)
- Submit & get accepted a proposal for dedicated Collaboration Space
- Creation of a dedicated repository within the openjs-foundation GitHub Organization
- Creation of a channel within the Foundation's Slack Organization
- Determine a time for recurring meetings w/ members
- Setup meeting generation tools to align with existing Foundation best practices
- Setup Foundation's Zoom & YouTube accounts for streaming