On Wed, Apr 29, 2020 at 1:13 PM Deborah Bryant <dbryant@redhat.com> wrote:
Chet,I have the great honor of being Mark Cox's manager at Red Hat. He was head of product security at Red Hat for many years and is now focused on upstream security-related projects (also a co-founder and VP Security at Apache Foundation). I've asked him if he might find time to help with this.Mark says he would be very happy to take a look at the docs, I've shared the links, tomorrow and then email you if you'd like to set up time with him for feedback.Cheers,DebOn Wed, Apr 29, 2020 at 11:32 AM Deborah Bryant <dbryant@redhat.com> wrote:Hi Chet,I'll check around and see if I can find a volunteer with subject matter depth and some bandwidth to help at Red Hat.ÂÂDebOn Mon, Apr 27, 2020 at 11:03 AM Chet Ensign <chet.ensign@oasis-open.org> wrote:Hi Tobie & everyone,ÂThere are two draft documents:ÂOASIS Vulnerability Handling & Disclosure Policy: https://docs.google.com/document/d/1Vx-ul_MTenguAmFZKnMS89yEu1YMbvRenJGk0D7N3KI/edit#heading=h.7m6wq9expm3e
OASIS Vulnerability Handling & Disclosure Process: https://docs.google.com/document/d/1qxp3EMq8KKq84smrAFyWlnL87oOrPj-kT9dxefjk5Pc/edit#heading=h.7m6wq9expm3eThese originally came out of an event in late 2018 when the MQTT Technical Committee was contacted by a researcher reporting a potential vulnerability in the standard. While this was an edge case, it caught us by surprise. We had to make up policy and procedure on the fly for allowing a group to work behind closed doors (anathema to our guiding principles) while they evaluatedÂthe report and came up with a fix.ÂThe OASIS Technical Advisory Board (TAB) then looked into the question and found that standards development organizations, in general, don't appear to have the basics in place either for reporting or for remediating. So they wrote up a white paper and sent it on to the Board's Process Committee. The committee has now turned that into the policy document and the process document linked above. You should be able to get to the documents with those links. I will be circulating these to the broad membership for review once we address a final couple of points.ÂSo as you can see, this came out of the standards development side of the things. But clearly it will need to apply for Open Projects as well. In fact, more so. So our goal is to be ready and have things in place so that parties who want to report a vulnerability have a channel to do so and our technicalÂcommunities have a clear set of procedures for handling the reports.ÂBest,Â/chetÂOn Fri, Apr 24, 2020 at 6:24 PM Tobie Langel <tobie@unlockopen.com> wrote:Think you could share the draft? Itâs hard to know if contributions would be useful without any idea of whatâs already in place.Thanks,âtobieOn Fri, Apr 24, 2020 at 23:18 Jory Burson <jory.burson@oasis-open.org> wrote:ðÂHi there, OASIS Advisory Council Reps,ÂOASIS's BoardÂof Directors is keen to get your feedback on some proposed Vulnerability Disclosure policies. They are wrapping up the drafts in the next week or so, but I wondered if some of you would be available to chat with Martin Chapman (Board Member and Legal Counsel from Oracle) & share thoughtsÂ(or share them asynchronously).ÂIf this is up your alley, do you mind letting me know whether you would be interested & availableÂfor a discussion in the nextÂ2-3 weeks? I know calendaring is tough - now more than ever - so I thought I'd get the ask out now.ðÂAlso, big congrats to Jim Jaglieski for his new role doing Open Source with Uber! They are incredibly lucky to have you, Jim!ÂðHope you and your families are all safe and healthy.Â--
/chetÂ
----------------Chet EnsignChief Technical Community Steward
OASIS: Advancing open source & open standards for the information society
http://www.oasis-open.org
Mobile: +1 201-341-1393Â--DeborahÂBryant
Senior Director Open Source Program Office
Office of The CTO
dbryant@redhat.com ÂÂT:Â650.254.4033ââ ÂÂIM:Â@debbryant
DeborahÂBryant
Senior Director Open Source Program Office
Office of The CTO
dbryant@redhat.com ÂÂT:Â650.254.4033ââ ÂÂIM:Â@debbryant