Re: CSAF support from vendors

Mr. Mendes, thanks for getting in touch with us and for your adoption of CSAF.Â

The experts here are, of course, the members of the CSAF Technical Committee (seeÂhttps://www.oasis-open.org/committees/membership.php?wg_abbrev=csaf), I am taking the liberty of including the TC's comment email list on my reply. This is the appropriate channel by which to send questions and feedback to the TC. This message will go to the list since I am subscribed. If you wish to use it to continue the exchange with the members, you will need to subscribe following the instructions atÂhttps://www.oasis-open.org/committees/comments/index.php?wg_abbrev=csaf.Â

Let me know if you have any questions on this and again, thanks for your interest in CSAF. The TC is doing important work!Â

Best regards,Â

/chetÂ

On Fri, Jun 24, 2022 at 11:20 AM 'Mendes, Pedro' via Project Admin <project-admin@oasis-open.org> wrote:

Hi good morning,

Â

Iâm writing you an email to know if you have a public page/space where we can check the vendors that already support CSAF.

Â

Weâre trying to get rid of the manual process to manage vulnerabilities from vendors, however itâs kind of tedious process to keep track of which vendors already support it and are publishing their security advisories in that format.

Â

Â

I saw that the standard contemplates a provider-metadata.json for aggregators to be contemplated at the security.txt, but as the field for this security.txt is a proposal I wonder, if no such space exist, would it be possible to create it?

Â

This would make life easier for lots of people on this side.

Â

Thank you in advance,

Â

Best regards,

Pedro Mendes

Â

csaf-comment message

ChetÂEnsign