jordan2175
commented
9 months ago There are several open questions about how to implement the vulnerability policy. @chet-ensign has a bunch of emails on this and needs to bring them all together. It would be good to run this example through the policy to make sure everything is working correctly. Chet will pull information he has and post it here.
Now that OASIS has agreed to and published the vulnerability policy https://www.oasis-open.org/2023/10/13/oasis-open-adopts-a-vulnerability-disclosure-policy/, it would be useful to give best practices for the TC's and OP's to implement it. The policy states the emails should go to staff kicking off the process but reality is many outsiders will not know the process and contact either the TC/OP management (eg the chairs and secretary via the email on TC/OP public pages) or the github maintainers (I say this because I was contacted as a github maintainer on TC repo I am one of the maintainers).