Any Open Source project, or vendor, totally or partially involved in Open Source, can apply and receive services. Enrollment requires registration with oCERT to confirm valid and trusted contacts.

As a member, oCERT would be able to co-ordinate with you regarding security reports, advisories and incident handling in a quick and efficient way.

If you are a small project lacking security handling resources we can aid you in tracking down the extent and nature of potential compromises and security vulnerabilities and co-ordinate with all affected parties (like projects that ship your code).

If you are a big project and/or Open Source vendor we can promptly communicate with you reports and vulnerabilities that might affect your codebase and infrastructure and help you out with your security requirements.

Any software vendor or organization may register as long as their activity is known to affect Open Source platforms.

A baseline of criteria is established for accepting members:

  1. OS/distribution/project must be active
  2. Must have a good record in being responsive and proactive in handling security issues
  3. Must have an active security contact
  4. Must agree with our disclosure policy

Additionally the following standards regarding information disclosure of embargoed incidents/vulnerabilities apply to members:

  1. May use the information to investigate and prepare fixes in advance
  2. Must not share the information, own investigation results, or fixes outside their direct organization (including, but not limited to, partners, customers, sponsors - and having an NDA in place is no excuse) without permission from the team
  3. Must not include a fix for embargoed vulnerabilities silently in code which goes public before the embargo
  4. Must not publicly act on the information directly or indirectly (e.g. by pushing a new IDS rule that would capture exploits for the vulnerability to customers)

oCERT agrees to keep things moving efficiently, acknowledging that long or moved embargo dates can have significant impact on vendors, users and open disclosure and will be avoided where possible. In any case our Disclosure Policy won't allow embargoes longer than 2 months.

Existing members may sponsor new membership applications.

While membership is necessary to be involved in the entire process of the incident/vulnerability handling, it is not meant to be a requirement for submission of vulnerabilities or security information. Non-members are encouraged to report security issues and contact the Team.

If you want to join us as a member please email us at membership [at] ocert [dot] org.

© - Some rights reserved.