workflow:open-source-security-disclosure
Open Source Security Disclosure overview
Manages responsible security-vulnerability disclosure for open-source projects the organization maintains -- receiving and triaging inbound vulnerability reports through the security-contact channel, reproducing and severity-scoring reported vulnerabilities using CVSS, developing patches in private forks with minimal information leakage, coordinating disclosure timelines with reporters and downstream distributors, preparing security advisories with CVE-ID assignment, releasing patched versions with coordinated announcement across mailing lists and GitHub advisories, and conducting retrospective analysis to identify systemic vulnerability patterns. Produces security advisory, patched release, and vulnerability retrospective. Excludes ongoing security scanning.
Attributes
Outgoing edges
- domain:security·DomainSecurity
- domain:software-engineering·DomainSoftware Engineering
- role:security-reviewer·RoleSecurity Reviewer
- role:staff-engineer·RoleStaff Engineer
- role:devrel·RoleDeveloper Relations
- org-unit:security-team·OrgUnitSecurity Team
- org-unit:open-source-program-office·OrgUnitOpen Source Program Office
- org-unit:application-security-team·OrgUnitApplication Security Team
- skill-area:dependency-vulnerability-mgmt·SkillAreaDependency Vulnerability Management
- skill-area:supply-chain-security·SkillAreaSoftware Supply Chain Security
- responsibility:security-review·ResponsibilitySecurity review
- responsibility:respond-incidents·ResponsibilityRespond to production incidents