Session: We got a Security Issue; What Now? Setting up vulnerability disclosure for open source projects
Someone emails you that they’ve found a vulnerability in your project; do you know what to do? Don’t panic; you don’t have to be a security expert to handle vulnerabilities reported to you (and even ones that *aren’t* reported!). This talk will take you through what vulnerability disclosure is and how to set up coordinated vulnerability disclosure (CVD) for your open source project. You’ll leave with a plan (before you need a plan) and resources for creating artifacts like a security policy (frequently seen as a `SECURITY.md`).
