[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [Question] Review new security policy?
Thank you for sharing those.This has had some serious work putÂinto it, congrats!I feel like the community would benefit if those were available as CC-BY on GitHub.I've added a few comments, but it's mostly out of my league.Folks that work in large corporations might be able to loop-in their security team to get a more expert set of eyes on those docs.Best,--tobieOn Mon, Apr 27, 2020 at 5:03 PM Chet Ensign <chet.ensign@oasis-open.org> wrote:Hi Tobie & everyone,ÂThere are two draft documents:ÂOASIS Vulnerability Handling & Disclosure Policy: https://docs.google.com/document/d/1Vx-ul_MTenguAmFZKnMS89yEu1YMbvRenJGk0D7N3KI/edit#heading=h.7m6wq9expm3e
OASIS Vulnerability Handling & Disclosure Process: https://docs.google.com/document/d/1qxp3EMq8KKq84smrAFyWlnL87oOrPj-kT9dxefjk5Pc/edit#heading=h.7m6wq9expm3eThese originally came out of an event in late 2018 when the MQTT Technical Committee was contacted by a researcher reporting a potential vulnerability in the standard. While this was an edge case, it caught us by surprise. We had to make up policy and procedure on the fly for allowing a group to work behind closed doors (anathema to our guiding principles) while they evaluatedÂthe report and came up with a fix.ÂThe OASIS Technical Advisory Board (TAB) then looked into the question and found that standards development organizations, in general, don't appear to have the basics in place either for reporting or for remediating. So they wrote up a white paper and sent it on to the Board's Process Committee. The committee has now turned that into the policy document and the process document linked above. You should be able to get to the documents with those links. I will be circulating these to the broad membership for review once we address a final couple of points.ÂSo as you can see, this came out of the standards development side of the things. But clearly it will need to apply for Open Projects as well. In fact, more so. So our goal is to be ready and have things in place so that parties who want to report a vulnerability have a channel to do so and our technicalÂcommunities have a clear set of procedures for handling the reports.ÂBest,Â/chetÂOn Fri, Apr 24, 2020 at 6:24 PM Tobie Langel <tobie@unlockopen.com> wrote:Think you could share the draft? Itâs hard to know if contributions would be useful without any idea of whatâs already in place.Thanks,âtobieOn Fri, Apr 24, 2020 at 23:18 Jory Burson <jory.burson@oasis-open.org> wrote:ðÂHi there, OASIS Advisory Council Reps,ÂOASIS's BoardÂof Directors is keen to get your feedback on some proposed Vulnerability Disclosure policies. They are wrapping up the drafts in the next week or so, but I wondered if some of you would be available to chat with Martin Chapman (Board Member and Legal Counsel from Oracle) & share thoughtsÂ(or share them asynchronously).ÂIf this is up your alley, do you mind letting me know whether you would be interested & availableÂfor a discussion in the nextÂ2-3 weeks? I know calendaring is tough - now more than ever - so I thought I'd get the ask out now.ðÂAlso, big congrats to Jim Jaglieski for his new role doing Open Source with Uber! They are incredibly lucky to have you, Jim!ÂðHope you and your families are all safe and healthy.Â--
/chetÂ
----------------Chet EnsignChief Technical Community Steward
OASIS: Advancing open source & open standards for the information society
http://www.oasis-open.org
Mobile: +1 201-341-1393Â
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]