Sonatype and HackerOne team up
to make open source safer
onatype, inventors of software
supply chain management, has
announced a partnership with
HackerOne, a leading hacker-powered
security platform, to create The Central
Security Project (CSP). The first-of-
its-kind programme brings together
the ethical hacker and open source
communities to streamline the process
for reporting and resolving vulnerabilities
discovered in libraries housed in the
Central Repository, the world’s largest
collection of open source components. examined by a world class team of
researchers so that fixes can be quickly
made available to project owners and
then responsibly disclosed to the public
at large.
CSP is designed to be a centralised
vulnerability reporting platform within
the Java ecosystem. It will enable the
community to report a vulnerability,
receive quick feedback and see all
other disclosed vulnerabilities for the
ecosystem, in a single platform fuelled
by HackerOne. “As the stewards of the Central
Repository, we saw a unique opportunity
to partner with HackerOne to simplify
the vulnerability reporting process for
all involved and help make open source
safer for the world.”
S
Community members will also be able
to track reported issues by status, keep
score around quantity and severity of
exploits identified, and get credit for
their work. Going forward, vulnerabilities
reported through the CSP will be rapidly
“When individual developers or
ethical hackers try and report a new
vulnerability to an open source project
they often wait for months to get a
response, with no guarantee they’ll ever
actually receive one,” said Brian Fox,
Co-founder and CTO of Sonatype.
Without a standard for responsible
disclosure, even those who want to
disclose vulnerabilities responsibly can
get frustrated with the process and turn
to public lists or social media, where bad
actors can easily find the details before
fixes are created. Similarly, open source
projects often don’t have the resources
to validate that all vulnerabilities reported
are real issues.
“Innovation happens faster when
developers are able to share information,
build on top of each other’s discoveries
and learn from each other. The same
is true within the security community,”
said Marten Mickos, CEO of HackerOne.
“The CSP brings together Sonatype’s
comprehensive repository of open
source components with the world’s
largest community of ethical hackers.
By working together, the entire open
source community benefits and software
becomes safer for everyone.”
How the Central Security Project works:
The programme will initially focus on
the Java ecosystem within the Central
Repository, with the goal of expanding to
other ecosystems over time. u
www.intelligentciso.com
|
Issue 13
61
1. Sonatype has added ‘report a
vulnerability’ links to every project
page within the Central Repository
and OSS Index
2. The links will connect individual
developers and ethical hackers to
the HackerOne platform where they
can easily report potential exploits
3. When vulnerabilities are reported,
Sonatype’s security research team
will rapidly assess the report and,
where appropriate, develop a fix
4. HackerOne will communicate with
relevant project owners and facilitate
CVE assignment
5. Once the fix has been released,
the vulnerability will be publicly
disclosed through HackerOne’s
Hacktivity page and the person who
reported it will be credited for its
discovery and submission