If you maintain an Open Source project, be it a library or an end-user facing application, sooner or later you will find security vulnerabilities in your code, be it by stumbling over a problem yourself, or getting notified about it by someone else. Plenty of maintainers feel overwhelmed by this at first, don’t know how to react and how to proceed, and that’s something I want to make a first step here with this talk to hopefully change.

I’m not a security researcher but rather a maintainer myself, and had to go through the learning process of how to deal with security vulnerabilities in a professional and effective way. That actually isn’t as difficult as it might look like on first look, and I want to give you some basic 101 on project security, specifically from the maintainer’s point of view. In the end, you should have an idea on what you should prepare to accept vulnerability reports, how to handle them when they come in, how to spot bad ones, and how to go about fixing vulnerabilities without putting your user base at risk.