We want to propose to start the discussion on a machine-readable standardized addition to git repositories which will serve two purposes:
a) Coordinated Vulnerability Disclosure
Provide necessary information for an anonymous, easy access, legally secure and ethical CVD process.
b) Up- & Downstream Vulnerabilities
Allow projects using the code to receive reports on vulnerabilities in a feed before the CVE is public.
Cunningham's Law states "the best way to get the right answer on the internet is not to ask a question; it's to post the wrong answer." we ask this talk to be understood in this sense. Pls let us know how this would be done proper in the linked issues ([CVD](https://codeberg.org/inoeg/BuntesBugBounty/issues/2), [Up- & Downstream Vulnerabilities](https://codeberg.org/inoeg/BuntesBugBounty/issues/3))
To our understanding, securing FOSS requires two kinds of measures. Preventive measures like pen-tests and audits, and reactive measures like CVD process and up- and down streaming relevant information.
Why do we care about this?
The “InÖG - Innovationsverbund Öffentliche Gesundheit e.V.” is a german based open-source project working on GovTech solutions for administration2X communication, since 2021.
Our solution IRIS-Connect [1] ran in 54 public health centers in four states (North Rhine-Westphalia, Hessian, Saxony, and Thuringia) serving 30.4 million German citizens as the link between public health centers and contact tracing apps.
To us security questions were central due to two main reasons:
A) The sensitive information, including health data IRIS-connect handled.
B) The non-negligible attack surface of public health centers
Due to A) IRIS offers E2EE communication between public health centers and apps used by the population at large. The relevance of the second point was stressed by the known vulnerabilities reported in similar solutions [2].
Given this situation, the government institutions interested in using our software wanted to know “whom they could call” if something is wrong. Given the imminent situation, we were able to find practical short time solutions but the issue remains. Especially with the EU's Cyber Resilience Act [3] on the horizon, the question of how to reach out to OSS projects will become more relevant.
For a more comprehensive view on the challenges of FOSS procurement, please see Miriam Swyffarths talk: ”Why isn't the German administration procuring more FOSS?”
This talk is part of the InÖGs current cooperation with the BSI - Germanys cybersecurity agency – in the project “B3 - Buntes Bug Bounty” as part of the BSIs annual Cybersicherheitsdialog. For more information, please visit the project websites of both partners [4][5]. We acknowledge funding by the BSI in the form of reimbursements of expenses of the volunteering contributors.
[1] https://github.com/iris-connect
[2] https://algorithmwatch.org/en/tracers/vulnerability-in-german-contact-tracing-app-luca/
[3] https://digital-strategy.ec.europa.eu/en/library/cyber-resilience-act
[4] https://www.inoeg.de/b3/
[5] https://www.dialog-cybersicherheit.de/workstreams/