The Open Source Security Foundation has launched an email mailing list to share threat intelligence regarding vulnerabilities in open source software.
Siren aims to �“aggregate and disseminate threat intelligence” to provide real-time security warning bulletins and deliver a community-driven knowledge base, according to OpenSSF. Members could use the mailing list to provide and receive information such as tactics, techniques, and procedures used in attacks on open source software, as well as indicators of compromise from real incidents.
The initiative is driven in part by the recent discovery of a backdoor in the XZ Utils library, when it became clear that there is no centralized method for open source projects to distribute and receive threat intelligence. As different researchers dug into the backdoor in XZ Utils, their findings were shared in various forums and independent blogs. There was no central location for people to find relevant information.
Various industry sectors rely on information sharing and analysis centers (ISAC) to facilitate the distribution of threat information regarding attacks against that sector. The existing oss-security mailing list is useful for communicating vulnerabilities within the community, but there is a “lack of efficient channels for sharing information about exploits with a broader audience, including open source projects, distributors, security researchers, and developers,” OpenSSF said.
OpenSSF’s hope is that the mailing list could fill this gap for open source projects and give the community a centralized location to find information about threats as they occur. Siren will not be a place to disclose new flaws, but rather a “post-disclosure means of keeping the community informed of threats and activities after the initial sharing and coordination.”
Siren will be publicly available. Registration will be required only to post on the list. OpenSSF encouraged people across the community, “a developer, maintainer, or security enthusiast,” to sign up.
This post was originally published on the 3rd party site mentioned in the title of this this site