Today maintainers deal with a significant influx of issues, PRs (re. updating dependencies) & broader comms when a new CVE is reported on a popular library in our ecosystem. Many of these are being considered "false positives" from an impact/vulnerability perspective. This level of noise creates distrust in the relationships between security companies/researchers, maintainers, & the collective end-users/consumers.

By creating a neutral forum to discuss & ideate across this ecosystem's stakeholders, we hope to improve CVE reporting & resolution workflows; Minimizing burden on maintainers & noise for consumers.

Examples of desired or successful outcomes from this discourse/space:

• Improved delineation of domains & controls
• Improved communication between maintainers & security researchers/organizations
• Improved tooling for package auditing, resolution & management as a whole
  • ex. package maintainers have a mechanism to flag/counterclaim vulnerability reports of dependencies that do not affect their own usage/workflows
  • ex. end-users have a mechanism to more granularly control the visibility of the vulnerability reports of their dependencies (including filtering on flags/counterclaims)

• Darcy Clarke (@darcyclarke) - Champion
• Wesley Todd (@wesleytodd) - Champion
• Zbyszek Tenerowicz (@naugtur)
• Christopher Hiller (@boneskull))
• Michael Dawson (@mhdawson)
• Dominykas Blyžė (@dominykas)
• Jordan Harband (@ljharb)
• Marcin Hoppe (@MarcinHoppe)

• Submit & get accepted a proposal for dedicated Collaboration Space
• Creation of a dedicated repository within the openjs-foundation GitHub Organization
• Creation of a channel within the Foundation's Slack Organization
• Determine a time for recurring meetings w/ members
• Setup meeting generation tools to align with existing Foundation best practices
• Setup Foundation's Zoom & YouTube accounts for streaming

• Slack Channel - #pkg-vuln-collab-space
• GitHub Team - @pkg-vuln-collab-space
• OpenJS Foundation - Events Calendar