OASIS Vulnerability Handling & Disclosure Process

This version of the OASIS Vulnerability Handling & Disclosure Process was approved by the OASIS Board of Directors on 14 June 2023 and became effective immediately.

This process implements the policies described in the Vulnerability Handling & Disclosure Policy.

Table of Contents

• Process
• Researcher Requirements
• OASIS Obligations
• Scope
• Out of Scope

Process

Vulnerability reports should be reported to vulnerabilities@oasis-open.org. In the report, we request that you include:

• The name, version, and a link to the standard, specification, site, package, or code module;
• If possible, your assessment of the vulnerability severity (low/medium/high) using an industry standard mechanism such as CVSS v3;
• Description of the vulnerability, including how it was found and if it can be exploited;
• Steps to reproduce, if available;
• If possible, any suggested suggestions, fixes, and/or patches;
• How you would like to be credited (name, url or email) if this issue is accepted, or if you would prefer to remain anonymous.

Please send one plain-text email for each vulnerability you are reporting. We ask that you not submit your report using PDFs, HTML, word processor files, etc. as digital media can provide their own security concerns.

By submitting any vulnerability report to OASIS, you hereby grant to OASIS and all OASIS members a perpetual, irrevocable, non-exclusive, transferable, sub-licensable, worldwide, royalty-free license to use, copy, reproduce, display, modify, adapt, transmit, distribute, and incorporate your submission or any parts thereof into standards, products, services, or test systems, without any further obligations or notices to you beyond those described in this document or in the OASIS Vulnerability Handling & Disclosure Policy.

Researcher Requirements

We require that all researchers:

• Make every effort to avoid privacy violations, disruption or degradation of service to OASIS systems, and destruction of data during all security testing;
• Perform research only within the various scopes set out below;
• Use the identified communication channels to report vulnerability information to us;
• Maintain confidentiality of any vulnerability you’ve discovered for 45 days, or until OASIS indicates that the vulnerability has been resolved. After 45 days, if OASIS has been unable or unwilling to provide a vulnerability disclosure timeline, the contents of the Report may be publicly disclosed by the Finder. We believe transparency is in the public’s best interest in these extreme cases

OASIS Obligations

If you follow these guidelines when reporting an issue to us, we commit to follow the OASIS Vulnerability Handling & Disclosure Policy. This policy includes but is not limited to:

• Confirm receipt of your report within 72 hours;
• Recognizing that OASIS can not make commitments on behalf of its membership, not pursue or support any legal action related to your research;
• Work with you, relevant OASIS members, and, as appropriate, outside experts to understand and resolve the issue quickly if applicable, following the OASIS Vulnerability Handling & Disclosure Policy;
• If applicable and desired, to recognize your contribution if you are the first to report the issue.

Scope

The scope of works covered by this process shall be any work on any OASIS-managed platform, including but not limited to:

• The website https://oasis-open.org and all sub-properties;
• OASIS Standards and Committee Specifications published at https://docs.oasis-open.org/ and https://docs.oasis-open-projects.org;
• OASIS TC Work published at https://github.com/oasis-tcs;
• OASIS Open Repositories published at https://github.com/oasis-open;
• OASIS Open Projects published at https://oasis-open-projects.org/projects/.

Where projects already have vulnerability reporting policies or processes already in place, we encourage you to use those and consider this OASIS-wide process as a backup option.

The following test types are excluded from scope:

• Any attempt to modify or destroy data;
• Findings derived primarily from social engineering (e.g. phishing);
• Findings from applications or systems not listed in the ‘Scope’ section;
• Network level Denial of Service (DoS/DDoS) vulnerabilities or any other attempt to interrupt or degrade the services OASIS offers to its members, including impacting the ability for end users to use the service;
• Any attempts to access a user’s account or private data;
• Anything not permitted by applicable law, unless permitted by this document.

Out Of Scope

• Implementations of OASIS standards and OASIS Committee Specifications that are not included in the Scope section above, regardless of their nature, including but not limited to commercial, freely available, or open source implementations. In these cases, the report should be made to the entity or organization who produces the product or implementation;
• Any services hosted by third-party providers (which will be promptly submitted by OASIS staff to the contracted provider);
• Anything else not explicitly named in the Scope section above.