This repository is a set of resources and reference materials to help open source projects to coordinated vulnerability disclosure. It was originally designed to help open source projects coming out of Google, so not all materials or recommendations may be applicable to your project.
For Googlers: Please see the OSPO site for documentation.
- Guide to coordinated vulnerability disclosure for open source projects: This contains background material on vulnerability disclosure, the steps to the CVD process, considerations for the decision points of the process, and "troubleshooting" for common scenarios.
- Templates: These will help you get started with the communication components of CVD. This includes
SECURITY.mdtemplates, embargoed notification and vulnerability disclosure. - Runbook: A step-by-step for the CVD process. For additional information on these steps, refer to the Guide.
If you are new to coordinated vulnerability disclosure, it is recommended you start with the Guide. While it is dense, you will want to be familiar with this information and the concepts presented before you need to address a vulnerability report.
If you are familiar with coordinated vulnerability disclosure, you can get a refresher by skipping to the Response Process section of the Guide, or go straight to the Runbook.