Toward an Open Source Process for Security Vulnerabilities

Accepted Session
Long Form
Scheduled: Thursday, June 28, 2012 from 10:00 – 11:45am in B301


Security vulnerabilities can be a source of anxiety and lost sleep, or they can be a carefully managed opportunity to bring communities together, practice safe operational practices, and prevent problems. Join me to discuss how we can all manage our security issues sanely and cooperatively, and lose less sleep!


Software security vulnerabilities are a real source of stress in the open souce software community, and need to be handled efficiently and effectively. At ISC, because our specialty is software used as critical internet infrastructure, we deal with these issues often. We have been working for the past two years through a substantial change and improvement to how we manage these vulnerabilities, from finding them through fixing them through communicating about them with our users, vendors who include our software, security and government organizations, and others. Through our Phased Vulnerability Disclosure process, we provide increasing levels disclosure of vulnerabilities through a series of notifications, so industry can prepare without rushed actions, and critical infrastructure can be upgraded without “bad guys” knowing about the vulnerability. As an organization dedicated to open source software and open process, ISC is publishing the policies, processes, and tools involved in our process, and seeks to engage with the rest of the open source community to ensure that our process works smoothly for all of us, and to assist others who want to build similar processes for their own open source projects and organizations. This session will be part lecture on how ISC has done things, part a discussion of resources available for management of vulnerabilities, and part a brainstorming and planning session on how open source organizations can best collaborate to handle such issues effectively in the future.

Speaking experience

I have spoken at many conferences and company events over the years. Last year I gave a talk about agile software process at Open Source Bridge. I gave a similar talk to this one at LISA USENIX '11 to a nice sized and enthusiastic audience.


  • S640x480 crop

    Larissa Shapiro



    Larissa works on the Mozilla project, where after having led product management process change, she has shifted to leading contributior and pathway development on the community building team, which seeks to change the community building culture for the better and grow Mozilla’s global contributor base.
    Prior to joining Mozilla, Larissa was the first (and only) Product Manager at Internet Systems Consortium, an open source public benefit organization which is the creator and maintainer of BIND, the DNS software which serves 80% or more of the nameservers on the internet. She lives in Santa Cruz, California, with her family. When she is not working on open source projects, she likes to garden and sing the blues.