OASIS members,
Responsible investigation and reporting of known or potential software vulnerabilities is a crucial part of protecting systems and users from hacks and cyberattacks. While open standards are not typically sources of software vulnerabilities, we believe that OASIS should follow best industry practices and provide channels and processes for ethical reporting and addressing of possible vulnerabilities in our work.
In this spirit, the Board of Directors has approved and adopted the OASIS Vulnerability Handling & Disclosure Policy (
https://www.oasis-open.org/policies-guidelines/oasis-vulnerability-handling-disclosure-policy/). The policy governs how OASIS committees and staff receive and address reports of potential flaws.
The companion Vulnerability Handling & Disclosure Process (
https://www.oasis-open.org/policies-guidelines/oasis-vulnerability-handling-disclosure-process/) explains how the policy works in practice.
Have a look at these documents and feel free to share thoughts, questions, or suggestions with us.Â
Best regards,Â
/chet
-- | ChetÂEnsignChief Technical Community Steward OASIS Open | Â | Â | Â | |