New 'Siren' mailing list aims to share threat intelligence for open source projects

The Open Source Security Foundation (OpenSSF) announced a new email mailing list named Siren that aims to spread threat intelligence related to open source projects.

Since the discovery of the Log4j issue, the security of open source projects has become a critical national security concern. The recent situations around XZUtils and OpenJS have reignited concerns about how the open source community is handling cybersecurity.

Siren will be publicly viewable and will only require registration to post on the list.

OpenSSF General Manager Omkhar Arasaratnam said that at a recent open source event, members of the community ran a tabletop exercise where they simulated a security incident involving the discovery of a zero-day vulnerability. 

They worked their way through the open source ecosystem — from cloud providers to maintainers to end users — clearly defining how the discovery of a vulnerability would be dealt with from top to bottom. 

But one of the places where they found a gap is in the dissemination of information widely. 

“What we lack within the open source community is a place in which we can convene to distribute indicators of compromise, IOCs, and threats, tactics and procedures, TTPs, in a way that will allow the community to identify threats when our packages are under attack,” Arasaratnam said. 

“So in other industries, like within the financial sector, they have an ISAC to distribute this kind of threat information when folks are attacking the financial sector. So we're going to be standing up a mailing list for which we can share this information throughout the community and there can be discussion of things that are being seen. And that's one of the ways that we're responding to this gap that we saw.”

OpenSSF explained that while there are existing tools like the oss-security mailing list — which aid in communicating vulnerabilities within the community — there is a “lack of efficient channels for sharing information about exploits with a broader audience, including open source projects, distributors, security researchers, and developers.”

The Siren mailing list will encourage public discussions on security flaws, concepts, and practices in the open source community with individuals who are not typically engaged in traditional upstream communication channels. 

They said it will focus on operational impact and response rather than just vulnerability coordination and will serve as a means to keep the community informed about threats and activities post-disclosure.

Christopher Robinson, director of security communications at Intel, and OpenSSF ecosystem strategist Bennett Pursell explained that open source software currently powers up to 90% of modern software — making it an important cog in everything from web servers to mobile apps. 

Despite its importance, the community has no means of communicating information about exploits efficiently with the broader downstream audience.

Siren is intended to be a “post-disclosure means of keeping the community informed of threats and activities after the initial sharing and coordination,” the two said. 

Members of the Siren email list will get real-time updates about emerging threats that may be relevant to their projects. 

OpenSSF is hoping the mailing list will foster a culture of shared responsibility and collective defense. 

“By leveraging the collective knowledge and expertise of the open source community and other security experts, the OpenSSF Siren empowers projects of all sizes to bolster their cybersecurity defenses and increase their overall awareness of malicious activities,” Robinson and Pursell said.  

“Whether you're a developer, maintainer, or security enthusiast, your participation is vital in safeguarding the integrity of open source software.”

OpenSSF has created a signup page for those interested and urged others to share the email list to other open source community members.

Robinson, who also serves as chair of the OpenSSF Technical Advisory Council, told Recorded Future News that until now, there was no focused effort on sharing details about active exploits for downstream consumers and enterprise defenders.

Robinson said he expects government agencies, security researchers, defenders and others to be involved in the effort.