I signed up too. J.
On Wed, May 29, 2024 at 10:43 AM Arnout Engelen <enge...@apache.org> wrote: > (adding security-disc...@community.apache.org for visibility) > > Looks interesting, I signed up. > > As this is a post-disclosure channel, ideally we don't really expect to > learn about new vulnerabilities here, but there's a couple of ways I think > it could be useful: > > For discussions around issues in our own projects: > * we could monitor they indeed map to disclosures we published and flag > 'rogue' publications > * we could learn about how we could improve our messaging > * we could consider proactively sending our advisories to Siren (like we do > to oss-security), I'll get in touch with them on whether and how that's > welcome. > > For discussions around issues in our dependencies: > * perhaps we could use Siren as an extra signal to highlight particularly > serious issues, as generally monitoring advisories for dependencies has a > low signal-to-noise ratio ( > > https://cwiki.apache.org/confluence/display/SECURITY/Dealing+with+security+advisories+for+dependencies > ), > so it's not obvious how to do this effectively. > > > Kind regards, > > Arnout > > On Wed, May 29, 2024 at 4:31 AM Roman Shaposhnik <r...@apache.org> wrote: > > > This seems like a pretty useful service for getting early > > signals around disclosures and such. Given how many > > projects in the supply chain they are tracking are from > > the ASF I wonder if we need to be on a receiving end > > of it either via security@a.o or some other way? > > > > > https://openssf.org/blog/2024/05/20/enhancing-open-source-security-introducing-siren-by-openssf/ > > > > Thoughts? > > > > Thanks, > > Roman. > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: dev-unsubscr...@community.apache.org > > For additional commands, e-mail: dev-h...@community.apache.org > > > > > > -- > Arnout Engelen > ASF Security Response > Apache Pekko PMC member, ASF Member > NixOS Committer > Independent Open Source consultant >
