The Central Security Project: Vulnerability Reporting for Open Source Java
When a security researcher finds a security bug, what do they do? Unfortunately, the answer sometimes is they search for the appropriate people to notify and, when they can’t be found, end up posting the vulnerability to public email lists, the GitHub project, or even Twitter.
This is the problem that security platform HackerOne and software supply chain management tool Sonatype have teamed up to solve with The Central Security Project, a new effort that “brings together the ethical hacker and open source communities to streamline the process for reporting and resolving vulnerabilities discovered in libraries housed in The Central Repository, the world’s largest collection of open source components,” according to a statement.
In an interview with The New Stack, Sonatype co-founder and Chief Technology Officer Brian Fox explained that the new project was meant to help provide a single way for vulnerability disclosures to be made.
“The idea here is to provide a place for researchers who find a zero-day vulnerability and want to disclose it to the project. We want to create a place for them to go. We run the Maven Central Repository, the default location for any Java open source components. Some of those will have existing security teams, like the ones that come from the Apache Foundation or Eclipse, but many of these projects are just one or two-man band kind of things that don’t have a formal place to privately disclose vulnerabilities and do the research and get a CVE assigned,” said Fox. “In lieu of a good place and process for doing that, we’ve seen researchers throw their hands up and just post the vulnerability on Twitter or on the GitHub project or to email lists. It’s not really a responsible disclosure at that point because everyone has access to it before fixing it. That’s the problem we’re trying to solve.”
With this new partnership, the two companies will combine Sonatype’s data research capabilities together with HackerOne’s reporting platform to make it so vulnerabilities are properly disclosed to interested parties, allowing them time to find a solution before being reported to the public.
First, HackerOne will accept vulnerability reporting, which will be linked to by Sonatype on every project page within the Central Repository and OSS Index. When a new vulnerability is reported, Sonatype will assess the report and, where appropriate, develop a fix. HackerOne will then communicate directly with project maintainers and assign a common vulnerabilities and exposures (CVE) number, which contains an identification number, a description, and at least one public reference for the vulnerability. From there, maintainers are given 90 days to provide a fix and once the vulnerability has been fixed, “the vulnerability will be publicly disclosed through HackerOne’s Hacktivity page, and the person who reported it will be credited for its’ discovery and submission,” according to the statement.
“We have a critical need to centralize security reporting in the open source industry especially given the proliferation of ecosystems like Github which encourage decentralization,” said Blevins. “The Central Security Project is a significant industry milestone that creates an open source reporting ecosystem that can function at GitHub scale.”
According to Fox, whether or not this project moves beyond Java depends on its success.
“If this becomes successful and there continues to be a need for other ecosystems, we would likely launch a similar thing and attach it to OSS Index,” said Fox. “We’re trying to close that gap. If you have knowledge of a vulnerability and can’t find how to disclose it, we’ll be the intermediary.”