Anatomy of an Apache vulnerability report, and Secure Release Management

Last year I volunteered with the local St John's Security BSides conference by providing blog coverage, and other help behind the scenes. This year I've submitted a talk covering the anatomy of an Apache vulnerability report and secure release management. UPDATE: My talk has been accepted!

If you're not familiar with the BSides conference series, here is a quote from their website: "Security BSides is a community-driven framework for building events for and by information security community members. The goal is to expand the spectrum of conversation beyond the traditional confines of space and time. It creates opportunities for individuals to both present and participate in an intimate atmosphere that encourages collaboration. It is an intense event with discussions, demos, and interaction from participants. It is where conversations for the next-big-thing are happening."

In my talk we'll discuss the procedure for reporting a security vulnerability to an Apache project, and what you as a reporter should expect to see happen as the project community validates the issue, and proceeds towards a resolution. After we have discussed the process we'll take a look at the content of a Common Vulnerabilities and Exposures (CVE) report.

We'll then switch gears to talk about how users can validate that their Apache project downloads are in fact legitimate. This is one of the more important safety practices that I tend to show users - all Apache projects provide safety measures on their releases, here I'll show the audience how they too can verify that they have release artifacts from the project community.