Possible security initiatives and things we've discussed doing as part of the work before, during, and after the January 13th 2022 meeting at the White House. 

Note this is a brainstorming document.  Items can be added by anyone without any expectation they are plausible or will become work we do or policy we produce.  They are in no particular order.

Theme: Developer Education

  • Require a minimum of 3 PPMC members to have attended a (yet to be written) training course on Vulnerability handling at the ASF before the podling is allowed to graduate
  • Require projects to maintain a security team of at least 3 people all of whom have undertaken the training described in the previous point
  • Is OpenSSF training something we should promote to committers
  • Educate projects on the selection of dependencies, and their upkeep (see also "Help users pick secure projects") (This could possibly be OpenSSF Scorecards)
  • Write up how the ASF acts as a Curator of OSS (in terms of the curation discussions happening) and what curation functions are performed

Theme: Improving our process and policy

WH Theme: Preventing Defects

  • Make sure our projects are keeping track of their dependencies, especially things that are EOL, especially things that are other Apache projects and EOL (example log4j v1)
    • Track the dependencies across our projects so we can see the combined-graph for the latest version of each ASF project. Work centrally to encourage that dependencies are not insecure, or excessively dated.
  • Facilitate direct funding efforts such as TideLift which provide direct financial support for developers to focus on matters such as security
  • How does OpenSSF Alpha and/or Omega fit with ASF
  • Look at the sponsored SOS rewards program
  • Think about which ASF projects would benefit from being covered by IBB (they reached out to us to expand our current set)
  • Looks at OpenSSF OSS Fuzz (high false positive rate - would benefit from manual triage by OSS Fuzz team before notifications are sent to maintainers). See also mail from GOSST

WH Theme: Identify Critical projects / Help users pick secure projects

WH Theme: SBOMS /  Notifications


  • Look again into SCR:CLR as a service to projects. Done. Rejected for various reasons.
  • Sometimes communication with vulnerability reporters breaks down, is it time to have a more structured tool for handling reports which forces the process? or is it more people engagement? or can we just require checkboxes before allocating CVE names in our existing tool?
    • From September 2022 we have a dedicated person paid by ASF to perform vulnerability handling functions
  • In July 2022 we implemented automated checks (INFRA-23459) to ensure packages contained the right signatures and met policy
  • No labels