oasis-tcs / csaf

OASIS CSAF TC: Supporting version control for Work Product artifacts developed by members of TC, including prose specifications and secondary artifacts like meeting minutes and productivity code
https://github.com/oasis-tcs/csaf
Other
150 stars 40 forks source link

Add party email or `product_id` to the items of `involvements` #597

Open tschmidtb51 opened 1 year ago

tschmidtb51 commented 1 year ago

The involvements section https://docs.oasis-open.org/csaf/csaf/v2.0/csaf-v2.0.html#3237-vulnerabilities-property---involvements seems unclear to me about how you would identify the name of the vendor or coordination or other party that was involved as a stakeholder in the vulnerability disclosure. Can you clarify? May be I am missing something clear in the document.

For example: Say if I want to mention vendor named "Example" has a status of contact_attempted on the date 2022-11-16T17:00:00.000Z - will look like below. There is no place to indicate the vendor's name (Example) or official PSIRT email (psirt@example.com) or any unique/readable field to identify the vendor to whom the contact was attempted. If what I see as missing is correct, I recommend adding fields to this involvement section that either tie it to a CSAF PID vendor or a URI field mailto email address field or a web endpoint where vulnerabilities can be submitted.

      "involvements": [
        {
          "party": "vendor",
          "status": "contact_attempted",
          "date": "2022-11-16T17:00:00.000Z",
          "summary": "An email was sent to vendor@example.com and an automated response was received. There was no NDR to indicate any kind of email delivery failure."
        }

The example shown in the validator testing at https://github.com/oasis-tcs/csaf/blob/ba8639f0602ac2cb76b7b8435790615a43987ba4/csaf_2.0/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_0-2021-6-1-24-11.json also does not indicate who actually is the "vendor" that was contacted.

Originally posted by @sei-vsarvepalli in https://github.com/oasis-tcs/csaf/issues/586#issuecomment-1334458428

tschmidtb51 commented 1 year ago

I guess we should add optional fields contact as contact information of the party that was used and product_ids/ group_ids to list the products the communication was about.