Open Source Summit Europe 2019 | Securing open-source
Open-source projects have a more nebulous operating model, and that also means it's harder to figure out who's on the hook when something goes wrong.
In security, if you're running an open-source project that's widely used, that means the community looks to you for help identifying and addressing vulnerabilities. We'll discuss what a mature open-source project does for security, including:
- mapping and understanding dependencies, and frequently patching those,
- responding to incidents in a private manner, and managing disclosures,
- patching vulnerabilities and vulnerability management, and
- running a bug bounty program.
Altogether, these make up a complete security response program for a larger open-source project. We'll also discuss what to do first if your project is just getting started, what to prioritize with limited resources (that's every project!), and what smaller projects can do when all of these pieces aren't possible.