Create 2024-Q4-VULN-WG.md

TI-reports/2024/TI-reports/2024/2024-Q4-VULN-WG.md

@@ -0,0 +1,73 @@
+# 2024 Q4 Vulnerability Disclosure WG
+
+
+## Overview
+The OpenSSF Vulnerability Disclosures Working Group seeks to help improve the overall security of the open source software ecosystem by helping develop and advocate well-managed vulnerability reporting and communication. We serve open source maintainers and developers, assist security researchers, and help downstream open source software consumers.
+
+The Vulnerability Disclosure Working group is officially a [Graduated-level](https://github.com/ossf/tac/blob/main/process/working-group-lifecycle.md) working group within the OpenSSF <img align="right" src="https://github.com/ossf/tac/blob/main/files/images/OpenSSF_StagesBadges_graduated.png" width="100" height="100">>
+
+<img align="right" src="https://github.com/ossf/wg-vulnerability-disclosures/blob/main/ossf-goose-vuln.png" width="300" height="300">
+
+
+### Key Resources
+- Coordinated Vulnerability Disclosure (CVD) Guides [link](https://github.com/ossf/oss-vulnerability-guide)
+- Tabletop Exercise Resources [link](https://github.com/ossf/wg-vulnerability-disclosures/tree/main/docs/TTX)
+- Open Source Vulnerability (OSV) schema [link](https://github.com/ossf/osv-schema)
+- OpenVEX schema & tools [link](https://github.com/ossf/OpenVEX)
+- Guide for Open Source Projects to become a CNA [link](https://github.com/ossf/wg-vulnerability-disclosures/blob/main/docs/guides/becoming-a-cna-as-an-open-source-org-or-project.md)
+- SIREN Mailing List [link](https://github.com/ossf/wg-vulnerability-disclosures/blob/main/docs/SIREN/siren-FAQ.md)
+
+### Sub-groups
+- OpenVEX SIG - [link](https://github.com/ossf/OpenVEX)
+
+
+
+### Leads	
+- WG - Madison Oliver (Github) & CRob (OpenSSF)
+- OpenVEX - Puerco (Stacklock)
+- OSV - Oliver Chang (Google)
+
+## Activity
+### General Working Group Activities
+- Preparation for abstracts for 2025 VulnCon conference - https://www.first.org/conference/vulncon2025/cfp
+- Discussion on adoption of Advise software - https://github.com/ossf/wg-vulnerability-disclosures/issues/152
+- VEX discussions
+
+
+### CVD Guides
+#### Purpose
+- Best practices guides focused on assorted OSS personas explaining how to have more effective coordinated vulnerability disclosure processes.
+#### Current Status
+- nothing at this time
+#### Up Next
+-  Planning on creating CVD Guide for OSS Consumers document Q4/Q12025
+
+### Tabletop Exercises
+#### Purpose
+- To share best practices on how to plan and run effective cybersecurity tabletop exercises and conducting mock disasters.
+#### Current Status
+- Ran our TTX at OSS-JP SOSS Community Day
+#### Up Next
+-  
+
+### OpenVEX
+#### Purpose
+- A group dedicated to the transparent sharing of vulnerability data through open formats, like VEX, so that participatants throughout the open source software supply chain have clear signals and better understanding of the impact of security vulnerabilities to the software and components they produce, depend upon, consumer, and deliver.
+#### Current Status
+-
+#### Up Next
+-  
+
+### OSV
+#### Purpose
+- The OSV schema provides a human and machine readable data format to describe vulnerabilities in a way that precisely maps to open source package versions or commit hashes.
+#### Current Status
+-
+#### Up Next
+-
+
+
+
+## Previous Updates
+[June 2024](https://docs.google.com/presentation/d/1hW_Zp46xBoCRsOUtNM8EUwTQpnDU9MssoE0JEqvkkZg/)
+[Mar 2024](https://docs.google.com/presentation/d/1uSVAdO0QN8KItM_0sYcwsoNiKytM1Sa0effEPL_fNaw)