BEGIN:VCALENDAR
VERSION:2.0
PRODID:-//pretalx//program.foss-backstage.de//fossback23//speaker//WPAGZL
BEGIN:VTIMEZONE
TZID:CET
BEGIN:STANDARD
DTSTART:20001029T040000
RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=10
TZNAME:CET
TZOFFSETFROM:+0200
TZOFFSETTO:+0100
END:STANDARD
BEGIN:DAYLIGHT
DTSTART:20000326T030000
RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=3
TZNAME:CEST
TZOFFSETFROM:+0100
TZOFFSETTO:+0200
END:DAYLIGHT
END:VTIMEZONE
BEGIN:VEVENT
UID:pretalx-fossback23-KEMRGG@program.foss-backstage.de
DTSTART;TZID=CET:20230314T123000
DTEND;TZID=CET:20230314T124000
DESCRIPTION:We want to propose to start the discussion on a machine-readabl
 e standardized addition to git repositories which will serve two purposes:
  \n\na) Coordinated Vulnerability Disclosure \nProvide necessary informati
 on for an anonymous\, easy access\, legally secure and ethical CVD process
 .\n\nb) Up- & Downstream Vulnerabilities\nAllow projects using the code to
  receive reports on vulnerabilities in a feed before the CVE is public.\n\
 nCunningham's Law states "the best way to get the right answer on the inte
 rnet is not to ask a question\; it's to post the wrong answer." we ask thi
 s talk to be understood in this sense. Pls let us know how this would be d
 one proper in the linked issues ([CVD](https://codeberg.org/inoeg/BuntesBu
 gBounty/issues/2)\, [Up- & Downstream Vulnerabilities](https://codeberg.or
 g/inoeg/BuntesBugBounty/issues/3))\n\nTo our understanding\, securing FOSS
  requires two kinds of measures. Preventive measures like pen-tests and au
 dits\, and reactive measures like CVD process and up- and down streaming r
 elevant information.\n\nWhy do we care about this?\n\nThe “InÖG - Innov
 ationsverbund Öffentliche Gesundheit e.V.” is a german based open-sourc
 e project working on GovTech solutions for administration2X communication\
 , since 2021. \n\nOur solution IRIS-Connect [1] ran in 54 public health ce
 nters in four states (North Rhine-Westphalia\, Hessian\, Saxony\, and Thur
 ingia) serving 30.4 million German citizens as the link between public hea
 lth centers and contact tracing apps. \n\nTo us security questions were ce
 ntral due to two main reasons: \n\nA) The sensitive information\, includin
 g health data IRIS-connect handled. \nB) The non-negligible attack surface
  of public health centers\n\nDue to A) IRIS offers E2EE communication betw
 een public health centers and apps used by the population at large. The re
 levance of the second point was stressed by the known vulnerabilities repo
 rted in similar solutions [2]. \n\nGiven this situation\, the government i
 nstitutions interested in using our software wanted to know “whom they c
 ould call” if something is wrong. Given the imminent situation\, we were
  able to find practical short time solutions but the issue remains. Especi
 ally with the EU's Cyber Resilience Act [3] on the horizon\, the question 
 of how to reach out to OSS projects will become more relevant.\n\nFor a mo
 re comprehensive view on the challenges of FOSS procurement\, please see M
 iriam Swyffarths talk: ”Why isn't the German administration procuring mo
 re FOSS?”  \n\nThis talk is part of the InÖGs current cooperation with 
 the BSI - Germanys cybersecurity agency – in the project “B3 - Buntes 
 Bug Bounty” as part of the BSIs annual Cybersicherheitsdialog. For more 
 information\, please visit the project websites of both partners [4][5]. W
 e acknowledge funding by the BSI in the form of reimbursements of expenses
  of the volunteering contributors. \n\n[1] https://github.com/iris-connect
 \n[2] https://algorithmwatch.org/en/tracers/vulnerability-in-german-contac
 t-tracing-app-luca/\n[3] https://digital-strategy.ec.europa.eu/en/library/
 cyber-resilience-act\n[4] https://www.inoeg.de/b3/\n[5] https://www.dialog
 -cybersicherheit.de/workstreams/
DTSTAMP:20260315T224410Z
LOCATION:Stage 2
SUMMARY:A security.txt for gits? - Gregor "Little Detritus" Bransky
URL:https://program.foss-backstage.de/fossback23/talk/KEMRGG/
END:VEVENT
BEGIN:VEVENT
UID:pretalx-fossback23-WEXPSB@program.foss-backstage.de
DTSTART;TZID=CET:20230314T154500
DTEND;TZID=CET:20230314T162500
DESCRIPTION:In a world where we stand on the shoulders of giants\, where we
  build systems that are increasingly interconnected\, supply chain securit
 y is becoming more and more important. As Free and Open Source projects\, 
 we believe that we can lead the way for the industry in terms of processes
 \, best practices and technology patterns.\n\nIn this open panel\, we want
  to discuss the importance of security in Free and Open Source Software pr
 ojects. We want to encourage participants of FOSS Backstage to share their
  questions and insights about topics like supply chain security\, security
  processes\, vulnerability disclosure\, bug bounties and more.
DTSTAMP:20260315T224410Z
LOCATION:Stage 1
SUMMARY:On the Shoulders of Giants: Security in FOSS - Thomas Fricke (he/hi
 m)\, Isabel Drost-Fromm\, Gregor "Little Detritus" Bransky
URL:https://program.foss-backstage.de/fossback23/talk/WEXPSB/
END:VEVENT
END:VCALENDAR