2025-03-10 –, Auditorium
With a month's notice to transition to a new workflow for managing incoming security reports for our open source project, join us to learn how we implemented GitHub's built-in security reporting feature in the Mautic project, and explore the highs and lows of collaborating with researchers, contributors and our security team using this system.
In November last year, the tool we used for accepting incoming security issue reports decided to stop working with open source projects outside of AI/ML, so we were forced to establish entirely new workflows for receiving reports, collaborating with researchers and publishing our security issues with only a month's notice.
In this talk we'll explore the key features that are offered to open source projects through the built-in GitHub Security Advisories feature, and talk about some of the challenges that a large open source project like Mautic might face when implementing this system.
We'll look at the steps we went through to transition fully to using GitHub's built-in private advisory reporting system and cover some of the big gotchas that you'll need to be aware of when working with GitHub private forks, and how we're currently working around them. We'll also walk through a start-to-finish process of how an issue is now reported, triaged, resolved and released in our current workflows.
Come along if you're curious about all things GitHub Security Advisories and how to implement such a workflow within your projects.
Ruth is an Open Source advocate with over 20 years of experience using and contributing to many different projects.
Having served on the Community Leadership Team of the Joomla! project and built a full-service digital agency, she now works as Project Lead for Mautic, supporting the community who build and maintain the world’s first Open Source Marketing Automation platform.
Ruth is a lover of cats, a keen runner and flautist (but not at the same time!) and is based in the East of England.