<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=705633339897683&amp;ev=PageView&amp;noscript=1">
Upstream microphone

James Berthoty

CEO / Security Engineer

Latio Tech / PagerDuty

Upstream ribbons
James Berthoty
How can we get CVEs out of GitHub Issues?
3:35 PM - 4:00 PM EST
In this session I'll give an overview of what the problem is with submitting CVEs to GitHub issues—why it's frustrating for compliance teams and maintainers both. I'll cover the nature of vulnerability scanners and compliance requirements that make security teams submit numerous unvalidated vulnerabilities upstream. I'll also talk about why these reports drive maintainers crazy, and the current standards are unrealistic. I'll then highlight how the solution to this problem comes from both sides: clearer maintainer security policies and better understanding of what compliance requirements actually are. I'll talk about why Argo's security policy is a great starting place, and that vulnerability scanners need to focus on upstream direct dependencies instead of the endless transitive dependency pain.

About James Berthoty

James Berthoty has been in technology for over 10 years across engineering and security roles. An early advocate for DevSecOps, he has a passion for driving security teams as contributors to product and built Latio Tech to help connect people with the right products.