The power of open source never ceases to amaze me. It’s transformed, and continues to transform, the way we build software, for the better. And, it’s all done collaboratively through an incredible community.
While the conversations around developer security and open source vulnerabilities have heated up in recent years, many people still don’t understand, or think about, the actual vulnerability reporting workflow and best practices for reporting in an actionable way. Because the open source ecosystem is built by millions of people and across hundreds of thousands of projects, there has never been an efficient or easy process for what to do when a vulnerability is discovered.
Today, we’re changing that. We’ve teamed up with HackerOne to build The Central Security Project (CSP), a pioneering program that brings together the ethical hacker and open source communities to streamline the process for reporting and resolving vulnerabilities discovered in libraries housed in The Central Repository. The partnership utilizes HackerOne’s unique vulnerability reporting platform and Sonatype’s security research capabilities to fast track potential code exploits and ease the painful process of CVE vulnerability disclosure and reporting.
We’ve long served as the stewards of The Central Repository, providing it as a free service to support the development community. We take our responsibility as stewards seriously - and recognized that we could be doing even more to make the component contributions it houses safer.
Any researcher who has ever had the experience of reporting a vulnerability to an open source project is painfully aware of the headaches involved in that process. From finding the appropriate security contact at the project to identifying the proper grace period for disclosure, the path to vulnerability reporting is circuitous and frustrating.
With the launch of the CSP, Sonatype hopes to eliminate four main pain points of vulnerability reporting:
-
Issue Reporting: provide a unified platform for reporting an issue to a project. Instead of researchers having to dig around for the appropriate security contact at a project, they can submit a vulnerability through the platform and leave it to Sonatype to make contact. No fuss, and no missed or ignored emails. We will also encourage all projects in the Central Repository to link to this reporting mechanism to ease their burden.
-
Issue Validation: Promptly after submission, Sonatype will work with the Project and the researcher to validate the issue and keep the researcher apprised of issue progress with automated notifications through the platform. The researcher doesn’t have to continuously follow up or try to contact an individual project. This is particularly helpful if a researcher is reporting multiple issues across projects. Progress reports and comments on each issue reported are aggregated in a single place that is easy to see and manage.
-
CVE Process: Unless the researcher is affiliated with or works for an organization that can procure a CVE number, having one assigned is difficult. The CSP Data Research team will work with HackerOne to ensure that a CVE number is assigned as expeditiously as possible -- eliminating the need for researches to manage the 13 steps for CVE reporting. The CSP will take care of coordinating that effort.
-
Recognition: Fewer things are more frustrating than spending time you’ll never get back reporting a vulnerability to a project, having that issue confirmed and never getting credit for having gone through the trouble. On the CSP platform, developers and researchers who report issues that are validated, will receive full credit, platform points and an improved reputation score through HackerOne. We believe in acknowledging people who take the extra effort to help make open source ecosystems safer for all.
How it Works:
-
“Report a vulnerability” links will be added to every project page within The Central Repository and OSS Index. The Central Repository is the largest collection of Java and other open source components. It provides the easiest way to access and distribute software components to millions of developers. It is the default repository for Apache Maven, SBT and other build systems and can be easily used from Apache Ant/Ivy, Gradle and many other tools.
-
From there, developers and researchers with a potential exploit to report will utilize HackerOne’s platform to submit the request.
-
When vulnerabilities are reported, Sonatype’s security research team will rapidly assess the report and, where appropriate, develop a fix.
-
HackerOne will contact the target project and open a dialogue.
-
As a Certified CNA, HackerOne will facilitate CVE assignment.
-
After the fix has been released, the report will be made public and the reporter will receive credit for the submission.
-
The reporter will be able to see the submitted vulnerability and all disclosed vulnerabilities for the ecosystem on the platform.
Join this important mission and a community of like-minded researchers at the Central Security Project today. We look forward to seeing you there!
