[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [csaf-comment] Re: CSAF support from vendors
Dear Mr. Mendes, currently, there is no public list of all issuing parties (as also coordinators like BSI, CISA, CERT/CC,... or security researchers could publish CSAF documents). BSI is in the process of creating a publicly available CSAF lister. (However, nobody guarantees completeness of such a list.) The TC encourages all issuing parties to publicly announce when they support CSAF. From my personal experience, vendors tend to start producing CSAF before publicly announcing that. Maybe, I'm missing something here, but I didn't get the following sentence: > I saw that the standard contemplates a provider-metadata.json for aggregators to be contemplated at the security.txt, but as the field for this security.txt is a proposal I wonder, if no such space exist, would it be possible to create it? A CSAF aggregator or lister does not have a provider-metadata.json. Nevertheless, the specification defines in section 7.3.1 a mechanism to detect a provider-metadata.json (https://docs.oasis-open.org/csaf/csaf/v2.0/csaf-v2.0.html#731-finding-provider-metadatajson). There is also an open source tool available to do that: https://github.com/csaf-poc/csaf_distribution#csaf_checker Basically, it tests whether it is able to detect a CSAF trusted provider at a given domain. Kind regards, Thomas Schmidt -- Thomas Schmidt From: csaf-comment@lists.oasis-open.org <csaf-comment@lists.oasis-open.org> On Behalf Of Chet Ensign Sent: Friday, June 24, 2022 5:35 PM To: Mendes, Pedro <pmende01@amgen.com> Cc: info@oasis-open.org; project-admin@oasis-open.org; csaf-comment@lists.oasis-open.org Subject: [csaf-comment] Re: CSAF support from vendors Mr. Mendes, thanks for getting in touch with us and for your adoption of CSAF. The experts here are, of course, the members of the CSAF Technical Committee (seeÂhttps://www.oasis-open.org/committees/membership.php?wg_abbrev=csaf), I am taking the liberty of including the TC's comment email list on my reply. This is the appropriate channel by which to send questions and feedback to the TC. This message will go to the list since I am subscribed. If you wish to use it to continue the exchange with the members, you will need to subscribe following the instructions atÂhttps://www.oasis-open.org/committees/comments/index.php?wg_abbrev=csaf.Â; Let me know if you have any questions on this and again, thanks for your interest in CSAF. The TC is doing important work! Best regards, /chet On Fri, Jun 24, 2022 at 11:20 AM 'Mendes, Pedro' via Project Admin <mailto:project-admin@oasis-open.org> wrote: Hi good morning,  Iâm writing you an email to know if you have a public page/space where we can check the vendors that already support CSAF.  Weâre trying to get rid of the manual process to manage vulnerabilities from vendors, however itâs kind of tedious process to keep track of which vendors already support it and are publishing their security advisories in that format.   I saw that the standard contemplates a provider-metadata.json for aggregators to be contemplated at the security.txt, but as the field for this security.txt is a proposal I wonder, if no such space exist, would it be possible to create it?  This would make life easier for lots of people on this side.  Thank you in advance,  Best regards, Pedro Mendes  -- ChetÂEnsign Chief Technical Community Steward OASIS Open    tel:+1+201-341-1393 mailto:chet.ensign@oasis-open.org https://www.oasis-open.org
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]