Anne Bertucio
Anne is a Senior Program Manager in Google’s Open Source Programs Office (OSPO) where she helps teams at Alphabet develop, contribute to, and release open source software. Anne works on strengthening the security practices of open source projects run by Google, helping Googlers work effectively and efficiently in open source, and being an advocate for security in the wider open source community. In particular, she focuses on open source vulnerability disclosure, project governance, and contributor sustainability.
Session
Open source software is incredibly powerful - and while that power is often used for good, it can be weaponized when open-source projects contain software security flaws that attackers can use to compromise those systems, or even the entire software supply chains that those systems are a part of. The Open Source Security Foundation is an open, cross-industry group aimed at improving the security of the open source ecosystem. In this presentation, members of the OpenSSF Vulnerability Disclosure working group will be sharing with open-source maintainers advice on how to handle when researchers disclose vulnerabilities in your project’s codebase - and we’ll also take any questions you have about this often mysterious topic!
Part 1 of this presentation will give an overview of the basics of Coordinated Vulnerability Disclosure (CVD) for open-source software maintainers, including some basics about security vulnerabilities, how to communicate securely and write patches without leaking vulnerability information, what you can expect during a disclosure with a researcher, and how to handle challenging scenarios like when you can’t patch, when a vulnerability is already being exploited by a threat actor in the wild, or when a vulnerability impacts many downstream dependencies.
Part 2 of this presentation will include a discussion about vulnerability disclosure best practices, pitfalls, and challenges. We will also welcome questions from the audience - ask us anything about dealing with vulnerabilities in open source!