New policy addresses how OASIS receives and responds to reported vulnerabilities
Responsible investigation and reporting of known or potential software vulnerabilities is a crucial part of protecting systems and users from hacks and cyberattacks. While open standards are not typically sources of software vulnerabilities, we believe that OASIS should follow best industry practices and provide channels and processes for reporting and addressing possible flaws in the work of our technical communities.
In this spirit, the Board of Directors has approved and adopted the OASIS Vulnerability Handling & Disclosure Policy (https://www.oasis-open.org/policies-guidelines/oasis-vulnerability-handling-disclosure-policy/). The policy governs how OASIS committees and staff receive and address reports of potential flaws.
The companion Vulnerability Handling & Disclosure Process (https://www.oasis-open.org/policies-guidelines/oasis-vulnerability-handling-disclosure-process/) explains how the policy works in practice.