BoF: Securing Open-source: Dependencies, Incident Response, Vulnerabilities, and Bug Bounties
Open-source projects have a more nebulous operating model, and that also means it's harder to figure out who's on the hook when something goes wrong.In security, if you're running an open-source proje …
Talk Title | BoF: Securing Open-source: Dependencies, Incident Response, Vulnerabilities, and Bug Bounties |
Speakers | Maya Kaczorowski (Product Manager, Software Supply Chain Security, GitHub) |
Conference | Open Source Summit + ELC Europe |
Conf Tag | |
Location | Lyon, France |
Date | Oct 27-Nov 1, 2019 |
URL | Talk Page |
Slides | Talk Slides |
Video | |
Open-source projects have a more nebulous operating model, and that also means it’s harder to figure out who’s on the hook when something goes wrong.In security, if you’re running an open-source project that’s widely used, that means the community looks to you for help identifying and addressing vulnerabilities. We’ll discuss what a mature open-source project does for security, including:- mapping and understanding dependencies, and frequently patching those,- responding to incidents in a private manner, and managing disclosures,- patching vulnerabilities and vulnerability management, and- running a bug bounty program.Altogether, these make up a complete security response program for a larger open-source project. We’ll also discuss what to do first if your project is just getting started, what to prioritize with limited resources (that’s every project!), and what smaller projects can do when all of these pieces aren’t possible.