Google Proposes "Know, Prevent, Fix" Framework For Dealing With Security Vulnerabilities
Google is hoping the industry will get behind their "Know, Prevent, Fix" framework in dealing with open-source security issues. The effort is around metadata and identity standards, new development processes to ensure sufficient code review for critical pieces of the infrastructure, and similar efforts.
The framework focuses on knowing about vulnerabilities in software, preventing the addition of new vulnerabilities, and fixing or removing vulnerabilities. Some concrete items include having a standard schema for accessing the multiple vulnerability databases, accurate tracking of software dependencies, understanding security risks of using new dependencies in your software, and proper notifications to relevant parties to speed-up the addressing of found vulnerabilities. Google is also suggesting no unilateral changes to "critical software" but ensuring code involved is looked over by an author and a reviewer/approver to limit the impact of any single individual.
Those wanting to learn more about Google's "Know, Prevent, Fix" proposal can read their initial thoughts/plans via the Google Open-Source Blog.