New work in OpenSSF: OSS VulnDB program
8 views
Skip to first unread message
Olle E Johansson
Nov 28, 2025, 3:36:55 AM11/28/25
to c...@owasp.org, Christopher Robinson
Hi!
This week in the OpenSSF Vulnerability Disclosures working group Crob shared the attached file about a new project being set up by the OpenSSF.
The target is to build on OSV.DEV and extend it. Several members of the foundation has pledged serious funding for this project and the board
has approved the initial plans. At the core is this recommendation:
"Recommendation:
We propose expanding the existing Open Source Vulnerability database (OSV) ecosystem to extend the already existing global, federated vulnerability management system, anchored in open collaboration. This expanded system would build services, processes, and tooling to make it easy for projects, communities, and organizations to contribute data and participate actively across the federated network.
Potential path forward has been identified:
Create a neutral, non-profit Foundation that would oversee this initiative, operating under the umbrella of the Open Source Security Foundation (OpenSSF). This new Foundation would drive cross-ecosystem coordination, stewardship of the federated model, and development of shared services (such as contribution tooling, discovery APIs, and shared trust and validation mechanisms) as well as hosting such infrastructure.
We will be assembling a broad coalition of SMEs from across industry and OSS foundations/projects to help develop and implement this program.”
Many of the requirements produced by this group has been used as input for this work. The OpenSSF invites other foundation to join the work
to make sure this is beneficial for all.
In short:
* Set up a new foundation
* Build on the existing work in OSV.DEV
* Google is willing to migrate the existing OSV.DEV platform into this new project
* Add an workflow where projects can get support for handling their issues
* Make sure projects report once and issues will be forwarded to other vulnerability management systems
Nothing is carved in stone yet, so there will be room for discussions.
When I started the GVIP I focused on the long term solution. I still believe we need to continue that work
and spend time on moving GVIP forward.
This work is targeting the short term problems with the CVE program and the NVD. In addition, it will
be important in the light of worldwide regulations, right now with a focus on the EU CRA.
There will be an invitation to workgroup meetings for this project very soon.
As soon as it is sorted out, I will forward the meeting info to this mailing list.
Looking forward to your feedback!
/Olle
This week in the OpenSSF Vulnerability Disclosures working group Crob shared the attached file about a new project being set up by the OpenSSF.
The target is to build on OSV.DEV and extend it. Several members of the foundation has pledged serious funding for this project and the board
has approved the initial plans. At the core is this recommendation:
"Recommendation:
We propose expanding the existing Open Source Vulnerability database (OSV) ecosystem to extend the already existing global, federated vulnerability management system, anchored in open collaboration. This expanded system would build services, processes, and tooling to make it easy for projects, communities, and organizations to contribute data and participate actively across the federated network.
Potential path forward has been identified:
Create a neutral, non-profit Foundation that would oversee this initiative, operating under the umbrella of the Open Source Security Foundation (OpenSSF). This new Foundation would drive cross-ecosystem coordination, stewardship of the federated model, and development of shared services (such as contribution tooling, discovery APIs, and shared trust and validation mechanisms) as well as hosting such infrastructure.
We will be assembling a broad coalition of SMEs from across industry and OSS foundations/projects to help develop and implement this program.”
Many of the requirements produced by this group has been used as input for this work. The OpenSSF invites other foundation to join the work
to make sure this is beneficial for all.
In short:
* Set up a new foundation
* Build on the existing work in OSV.DEV
* Google is willing to migrate the existing OSV.DEV platform into this new project
* Add an workflow where projects can get support for handling their issues
* Make sure projects report once and issues will be forwarded to other vulnerability management systems
Nothing is carved in stone yet, so there will be room for discussions.
When I started the GVIP I focused on the long term solution. I still believe we need to continue that work
and spend time on moving GVIP forward.
This work is targeting the short term problems with the CVE program and the NVD. In addition, it will
be important in the light of worldwide regulations, right now with a focus on the EU CRA.
There will be an invitation to workgroup meetings for this project very soon.
As soon as it is sorted out, I will forward the meeting info to this mailing list.
Looking forward to your feedback!
/Olle
Steve Springett
Nov 28, 2025, 11:38:09 PM11/28/25
to c...@owasp.org, Olle E Johansson, Christopher Robinson
Thanks Olle.
A long term solution is still absolutely necessary. I do not see anything in this proposal that address the challenges we’ve previously discussed. If anything, those challenges will be amplified and even harder to address than they are now. IMO, the proposal addresses the needs of the last decade, not this one.
A long term solution is still absolutely necessary. I do not see anything in this proposal that address the challenges we’ve previously discussed. If anything, those challenges will be amplified and even harder to address than they are now. IMO, the proposal addresses the needs of the last decade, not this one.
— Steve
--
--
Please also join the conversation on OWASP's Slack. https://owasp.org/slack/invite Join channel #cve-wg.
---
You received this message because you are subscribed to the Google Groups "CVE" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cve+uns...@owasp.org.
To view this discussion visit https://groups.google.com/a/owasp.org/d/msgid/cve/48EEFDD0-EEF1-4674-A2C7-A6E3D9B97D94%40owasp.org.
<_LF.OSS.VulnDBProgram.-.VulnDiscWG.pdf>
--
--
Please also join the conversation on OWASP's Slack. https://owasp.org/slack/invite Join channel #cve-wg.
---
You received this message because you are subscribed to the Google Groups "CVE" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cve+uns...@owasp.org.
To view this discussion visit https://groups.google.com/a/owasp.org/d/msgid/cve/48EEFDD0-EEF1-4674-A2C7-A6E3D9B97D94%40owasp.org.
Olle E Johansson
Nov 29, 2025, 4:58:34 AM11/29/25
to Steve Springett, c...@owasp.org, Christopher Robinson
> On 29 Nov 2025, at 05:38, Steve Springett <steve.s...@owasp.org> wrote:
>
> Thanks Olle.
>
> A long term solution is still absolutely necessary. I do not see anything in this proposal that address the challenges we’ve previously discussed. If anything, those challenges will be amplified and even harder to address than they are now. IMO, the proposal addresses the needs of the last decade, not this one.
Thank you for your feedback
/O
Josh Bressers
Nov 29, 2025, 8:24:15 PM11/29/25
to Steve Springett, c...@owasp.org, Olle E Johansson, Christopher Robinson
On Fri, Nov 28, 2025 at 10:38 PM Steve Springett <steve.s...@owasp.org> wrote:
Thanks Olle.
A long term solution is still absolutely necessary. I do not see anything in this proposal that address the challenges we’ve previously discussed. If anything, those challenges will be amplified and even harder to address than they are now. IMO, the proposal addresses the needs of the last decade, not this one.
I would be interested in better understanding long term ideas here
The honest reality right now is CVE is the only identifier that will matter for the foreseeable future. Any plan (this one or a future longer term idea) will need to be part of the CVE project or it's going to be dead on arrival
The honest reality right now is CVE is the only identifier that will matter for the foreseeable future. Any plan (this one or a future longer term idea) will need to be part of the CVE project or it's going to be dead on arrival
And the hard mode in all this is we don't know what happens to CVE in the near future, so maybe we should be talking to MITRE or maybe we should be talking to CISA.
--
Josh
Francesco Cipollone
Nov 30, 2025, 9:43:06 AM11/30/25
to Josh Bressers, Steve Springett, c...@owasp.org, Olle E Johansson, Christopher Robinson
Nice, will look forward to hearing more, we started bypassing the CVE database and getting directly into advisory feeds, parsing trough the agentinc intelligence engine: https://ai-threat.phoenix.security/?layer=enterprise&input=H4sIAAAAAAAAE3MOc9U1MjAy1jU0MjYBAJ3XJ3oNAAAA
will see if this initiative improves the data quality
Regards
Francesco Cipollone
CEO & Co-Founder @ Phoenix Security
ACT Now on risk - Fix Vulnerabilities that matter most
--
--
Please also join the conversation on OWASP's Slack. https://owasp.org/slack/invite Join channel #cve-wg.
---
You received this message because you are subscribed to the Google Groups "CVE" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cve+uns...@owasp.org.
To view this discussion visit https://groups.google.com/a/owasp.org/d/msgid/cve/CAKoP-y_t8DWvukcZ88Y--r306CkChgPk0nR8Z273ETV9EtT%3DiQ%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages