September 19-21, 2023
Bilbao, Spain
View More Details & Registration
Note: The schedule is subject to change.

The Sched app allows you to build your schedule but is not a substitute for your event registration. You must be registered for Open Source Summit Europe 2023 to participate in the sessions. If you have not registered but would like to join us, please go to the event registration page to purchase a registration.

This schedule is automatically displayed in Central European Summer Time (UTC/GMT +2). To see the schedule in your preferred timezone, please select from the drop-down menu to the right, above "Filter by Date."

IMPORTANT NOTE: Timing of sessions and room locations are subject to change.

Back To Schedule
Tuesday, September 19 • 16:35 - 17:15
Scaling the Security Researcher to Eliminate OSS Security Vulnerabilities Once and For All - Jonathan Leitschuh, Open Source Security Foundation

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.

Hundreds of thousands of human hours are invested every year in finding security vulnerabilities with relatively simple fixes. These vulnerabilities aren’t sexy, cool, or new. We’ve known about them for years, but they’re everywhere!  The scale of GitHub & tools like CodeQL (GitHub's code query language) enable scanning of vulnerabilities across hundreds of thousands of OSS projects, but the challenge is how to scale the triaging, reporting, and fixing. Simply automating the creation of thousands of bug reports by itself isn’t useful, and would be a burden on volunteer OSS maintainers. Ideally, the maintainers would be provided with not only information about the vulnerability, but also a fix in the form of an easily actionable pull request.  When facing a problem of this scale, what is the most efficient way to leverage researcher knowledge to fix the most vulnerabilities across OSS? This talk will cover a highly scalable solution - automated bulk pull request generation. We’ll discuss the practical applications of this technique on real-world OSS projects. We’ll also cover technologies like CodeQL & OpenRewrite (a style-preserving refactoring tool created at Netflix and now developed by Moderne). Let’s not just talk about vulnerabilities, let’s actually fix them at scale.

avatar for Jonathan Leitschuh

Jonathan Leitschuh

Senior Software Security Researcher, Open Source Security Foundation
Jonathan Leitschuh is a Senior Software Security Researcher currently working for the Open Source Security Foundation (OpenSSF). He was the first Dan Kaminsky Fellow and former Software Engineer. Jonathan is best known for his July 2019 bombshell Zoom 0-day vulnerability disclosure... Read More →

Tuesday September 19, 2023 16:35 - 17:15 CEST
Room 0C (Floor 0)