In his Upstream session, James Berthoty CEO of Latio Tech provides an overview of what the problem is with submitting CVEs to GitHub issues-why it's frustrating for compliance teams and maintainers both. In this clip, he explains how, to move past the CVE back-and-forth, we need to pay open source maintainers and build a better working relationship with them.
Watch the full talk here: explore.tideli...
Transcript:
So what are some better ways forward here that we can make more sense of this CVE back and forth that happens? The first, which is something I'm always advocating for, is that we call open source maintainers vendors when we treat them like vendors, and we publish CVEs and expect them to fix them as though they're contractors. And so we should actually pay them and have some kind of contract in place as though they are vendors or contractors to establish the relationship ahead of time. It's extremely unfair how we expect them to patch CVEs without having any formal relationship to us.
21 окт 2024
