When a security researcher finds a security bug, what do they do? Unfortunately, the answer sometimes is they search for the appropriate people to notify and, when they can’t be found, end up posting the vulnerability to public email lists, the GitHub project, or even Twitter.
This is the problem that security platform HackerOne and software supply chain management tool Sonatype have teamed up to solve with The Central Security Project, a new effort that “brings together the ethical hacker and open source communities to streamline the process for reporting and resolving vulnerabilities discovered in libraries housed in The Central Repository, the world’s largest collection of open source components,” according to a statement.
“We have a critical need to centralize security reporting in the open source industry especially given the proliferation of ecosystems like Github which encourage decentralization,” said Blevins. “The Central Security Project is a significant industry milestone that creates an open source reporting ecosystem that can function at GitHub scale.”
Read more at The New Stack