Vulnerability Response for Open Source Projects

Software security is an important aspect of any mature software project and spans all aspects of software development from design through development and support. One important aspect to software security is responding to discovered vulnerabilities in the software after that software has been released and is in use by users and/or other software projects. Vulnerabilities can lead to exploits, particularly if the vulnerability becomes public, which simplifies development of an exploit. Since exploits have strong negative consequences on software users, it is an imperative that software projects respond to vulnerabilities with remediation before an exploit is developed for the vulnerability. Ideally, a remediation is released before the vulnerability becomes public knowledge (much less an exploit is developed).

The goal of this document is to capture current best practices for responding to security vulnerabilities for open source software projects, which has some unique challenges do to the normally open nature of these projects. The document was written based on the author’s experience establishing and participating in a vulnerability response process for the Globus Project and researching other vulnerability response processes found in the references.

  • v.2, Jun 9, 2010: Initial version.
  • v.4, June 14, 2010: Comments from Jim Barlow (CVSS) and Adam Slagel (Crediting the reporter - added Section D). Numerous editorial fixes.
  • v.5: June 22, 2010: Comments from Randy Butler (discussion of fully private vs fully open processes). More editorial fixes.
  • v.6: July 5, 2010: Comments from Mike Dopheide (discussion of commits to VCS being public) and Ben Laurie (trusted communities not being best practice, moved to own section).
SelectionFile type iconFile nameDescriptionSizeRevisionTimeUser
View Download
Vulnerability response for open source projects.     123k v. 6 Jul 5, 2010, 9:45 AM Von Welch