This critical role would not be possible without funding from the OpenSSF Alpha-Omega Project. Massive thank-you to Alpha-Omega for investing in the security of the Python ecosystem!
In preparation for becoming a CNA, the PSF now has a public advisory database on GitHub which hosts advisories in the Open Source Vulnerability format (OSV). This database will host historical advisories in addition to new advisories and CVEs for the PSF CNA for projects in scope like Python and pip.
I shared this newly published database with the OpenSSF Vulnerability Disclosures WG and received lots of feedback and tips for managing an OSV advisory database. Madison Oliver of GitHub Security gave advice on being a CNA and guidance for hosting first-party and third-party advisories as a CNA. Also received helpful feedback from Oliver Chang and Andrew Pollock. Thanks everyone!
Being a participant in the distributed vulnerability database for OSV requires choosing an ID prefix for advisories.
PSF as the prefix and the prefix was accepted into the OSV schema specification.
After the prefix was selected I configured automation in the database to automatically assign IDs for the
I spent time importing existing advisories for Python from Victor Stinner's manually curated list of vulnerability fixes. Some of these fixes don't include a CVE ID so need to be disambiguated based on other information like a bugs.python.org issue ID.
The PSF CNA registration process has been making progress! 🚀
Towards publishing the materials to the OpenSSF Vulnerability Disclosures WG I've applied to join the CVE Outreach and Communications WG to review the draft guidance materials. I'm also drafting a blog post for once the PSF is announced as a CNA.
I've been getting questions answered from the CNA Program Coordinator specifically around operating a CNA as an open source foundation or project. These answers will be completely written up in the guidance.
If you have a 1-2 hours of time and would like to experience the training regiment I've given PSF staff to prepare for the CNA onboarding call you can take a look at this Gist.
Wow, you made it to the end!
If you're like me, you don't believe social media should be the way to get updates on the cool stuff your friends are up to. Instead, you should either follow my blog with the RSS reader of your choice or via my email newsletter for guaranteed article publication notifications.
If you really enjoyed a piece I would be grateful if you shared with a friend. If you have follow-up thoughts you can send them via email.
Thanks for reading!