In his Upstream session, James Berthoty CEO of Latio Tech provides an overview of what the problem is with submitting CVEs to GitHub issues-why it's frustrating for compliance teams and maintainers both. In this clip, he emphasizes that open source maintainers, who are often volunteers, are not contracted vendors.
Watch the full talk here: explore.tideli...
Transcript:
Now vendor dependencies are where these CVEs, by default, have to fall, even though open source maintainers don't have a contract in place to make them a vendor in a formal sense. Nonetheless, that's how they have to be treated, because there's really no other options for what to do with these vulnerabilities when they're discovered. And so when you have a vendor dependency, your guidelines are forcing you to, you're supposed to check in with the vendor upstream every 30 days for either them to confirm that it's a false positive or for them to give you their timeline for remediation. And so that is the process for what compliance has and what you can see is they if they are following from a strict compliance viewpoint here, the number of options they have are very limited for how to report these findings to a vendor.
21 окт 2024
