Open Source Computer Security Incident Response Team
The oCERT project was started in March 2008 and concluded in August 2017.
History
The oCERT was a public effort to provide security vulnerability mediation
for the open source community, maintaining reliable security contacts between
registered projects and reporters that needed to get in touch with a specific
project regarding infrastructure security issues or projects vulnerabilities.
The project was announced at the CanSecWest conference in March 2008, many
years before bug bounties or efforts like Google Project Zero were introduced.
The oCERT effort was very much ahead of its times.
The idea spawned from the quite obvious need for coordinated vulnerability
investigation and disclosure among open source projects, particularly with multiple
libraries statically included by a vast number of software.
To this end Andrea Barisani and Daniele Bianco from Inverse Path along with
Will Drewry and Tavis Ormandy from Google, decided to create oCERT. The team
was assisted by an advisory board with Solar Designer and Dragos Ruiu as members.
The project contributed 61 advisories covering vulnerabilities ranging from
single project bugs, to critical findings affecting core libraries and numerous
projects sharing their code, up to entirely new classes of vulnerabilities
affecting multiple programming languages.
The oCERT project was sponsored by Inverse Path
and Google with hosting kindly provided by the
OSU Open Source Lab.
oCERT was authorized to use the CERT mark by Carnegie Mellon University's
Software Engineering Institute; however, oCERT has never been otherwise
affiliated or endorsed by Carnegie Mellon University or its CERT Coordination Center.
Advisory archive
All published advisories are archived here.
Disclosure policy
-
All membership requirements and responsibilities were publicly known.
-
Distribution was determined in two ways, registered
vendors/maintainers and extracted Open Source project contacts
from authoritative resources like code.google.com/sourceforge/rubyforge/etc where applicable.
-
oCERT agreed to keep things moving efficiently, acknowledging that long or
moved embargo dates can have significant impact on vendors, users and open
disclosure and will be avoided where possible.
-
All bug/incident timeline and discussion summary were made
public after an embargo date. The embargo was optional and applied only
when considered necessary for appropriate coordination, reports were released
as early as possible and in any case embargo was not longer than 2 months.
-
The following time frames regulated oCERT embargo proposals:
* 7 days, in case the issue is already well narrowed down and tested, requiring trivial configuration and/or code change
* 14 days, standard embargo for most cases
* 30 days, in case of critical and complex vulnerabilities (example, trivial exploitation of administrative privileges on a static library affecting a large number of packages), and with the agreement of all parties
* under extremely exceptional circumstances, if the oCERT Team and all the parties involved felt the need for longer time, a 2 months embargo was applied, in this case we would clearly document the decision for public review
* in any circumstance reporter preference was always honoured in case a joint agreement was not reached, as oCERT would be anyway unable to force its embargo