How a US Govt Board Helped the Open-Source Community Leap to Patch Log4j

pcmag.com:

LAS VEGAS–Six months ago, the federal government set up a new office and gave it a tough first assignment: Report back on the public-private response to the Log4j vulnerability that left a huge fraction of the web vulnerable to remote compromises.

At a panel discussion Wednesday at the Black Hat information-security conference here, that board’s chair and deputy chair shared the major lessons learned from that effort—starting with a welcome willingness among industry types to talk to a government organization.

"I think what surprised a lot of people was how deep the fact-finding could go,” Cyber Safety Review Board(Opens in a new window) Chair (and policy undersecretary at the Department of Homeland Security) Robert Silvers told panel moderator and Black Hat founder Jeff Moss. "We actually created a factual rollup of how the Log4J vulnerability disclosure process, the response, all went down."

Co-chair Heather Adkins, VP of security engineering at Google, made the same point, calling herself “really pleasantly surprised” that 80-plus organizations and security researchers spoke to the board for the 52-page report(Opens in a new window) (PDF) it published in July. "We even heard from the People's Republic of China." 

The Cybersecurity and Infrastructure Security Agency (CISA) spun up the 15-member board in February, following a directive in the executive order on information security(Opens in a new window) that President Biden issued in May 2021. It’s roughly modeled after the National Transportation Safety Board, with the goal of bringing transparency to a field in which the targets of attacks have often retreated(Opens in a new window) into vague silence about what went wrong.

"Until the CSRB was created, there was