Lessons from OSV: Vulnerability Management for Open Source
CVE/FIRST VulnCon 2025 · Main Stage
Oliver from Google's open source security team presented a comprehensive talk at VulnCon, detailing the journey and principles behind the **Open Source Vulnerability (OSV) schema**. This JSON schema, an initiative of the OpenSSF, is designed to describe known vulnerabilities in open source packages in a minimal, consistent, and machine-readable format. Launched four years ago, OSV has rapidly gained traction, with adoption across major language ecosystems, open-source vulnerability databases, and Linux distributions. The core objective of OSV is to empower software developers to accurately identify and remediate vulnerabilities within their open-source dependencies, transforming a historically complex and error-prone process into an actionable and automated workflow.
AI review
A competent, practitioner-level walkthrough of the OSV schema — its design principles, technical decisions, and surrounding tooling — delivered by someone clearly close to the project. This is infrastructure talk done honestly: no hype, real tradeoffs explained, and the design rationale is actually useful for anyone building vulnerability tooling or feeding data into the ecosystem. But it's also not groundbreaking research. OSV has been around for four years, the schema is public, and most of the content here is well-documented. The VEX future-work section is the most interesting signal in…