Software security is an important aspect of any mature software project and spans all aspects of software development from design through development and support. One important aspect to software security is responding to discovered vulnerabilities in the software after that software has been released and is in use by users and/or other software projects. Vulnerabilities can lead to exploits, particularly if the vulnerability becomes public, which simplifies development of an exploit. Since exploits have strong negative consequences on software users, it is an imperative that software projects respond to vulnerabilities with remediation before an exploit is developed for the vulnerability. Ideally, a remediation is released before the vulnerability becomes public knowledge (much less an exploit is developed).
The goal of this document is to capture current best practices for responding to security vulnerabilities for open source software projects, which has some unique challenges do to the normally open nature of these projects. The document was written based on the author’s experience establishing and participating in a vulnerability response process for the Globus Project and researching other vulnerability response processes found in the references.