Mitigation was added to Section 3.3.2 - Security Assurance to ensure completeness, as remediation was mentioned in this section previously.
Old Language
3.3.2 - Security Assurance
For each Open Source Software component in the bill of materials for the Supplied Software release under review;
Apply method for detecting existence of Known Vulnerabilities;
For each identified Known Vulnerability assign a risk/impact score;
For each detection and assigned score determine and document necessary remediation steps suitable for the use-case of the software and get Customer Agreement at or above a previously determined level (i.e., all severity scores above 4.5 …);
Depending on the risk/impact score take the appropriate action (e.g., contact customers if necessary, upgrade software component, no further action, …);
If a Newly Discovered Vulnerability is present in previously distributed Supplied Software, depending on the risk/impact score take the appropriate action (e.g., contact customers if warranted);
An ability to monitor Supplied Software after their release to market and to respond to Known Vulnerability or Newly Discovered Vulnerability disclosures.
New Language
3.3.2 - Security Assurance
For each Open Source Software component in the bill of materials for the Supplied Software release under review;
Apply method for detecting existence of Known Vulnerabilities;
For each identified Known Vulnerability assign a risk/impact score;
For each detection and assigned score determine and document necessary remediation or mitigation steps suitable for the use-case of the software and get Customer Agreement at or above a previously determined level (i.e., all severity scores above 4.5 …);
Depending on the risk/impact score take the appropriate action (e.g., contact customers if necessary, upgrade software component, no further action, …);
If a Newly Discovered Vulnerability is present in previously distributed Supplied Software, depending on the risk/impact score take the appropriate action (e.g., contact customers if warranted);
An ability to monitor Supplied Software after their release to market and to respond to Known Vulnerability or Newly Discovered Vulnerability disclosures.
Rationale
We previously talked said "document necessary remediation steps suitable for the use-case of the software" but did not talk about the alternative action of mitigation. To ensure completeness, this was added.
Action
Mitigation was added to Section 3.3.2 - Security Assurance to ensure completeness, as remediation was mentioned in this section previously.
Old Language
3.3.2 - Security Assurance
New Language
3.3.2 - Security Assurance
Rationale
We previously talked said "document necessary remediation steps suitable for the use-case of the software" but did not talk about the alternative action of mitigation. To ensure completeness, this was added.