search

oasis-tcs / csaf

OASIS CSAF TC: Supporting version control for Work Product artifacts developed by members of TC, including prose specifications and secondary artifacts like meeting minutes and productivity code
https://github.com/oasis-tcs/csaf
Other
150 stars 40 forks source link

Add an optional element in Profile 2: Security Incident Response indicating if own offerings and systems are affected #792

Open sonnyvanlingen opened 1 month ago

sonnyvanlingen commented 1 month ago

As can be read in 4.2 Profile 2: Security incident response:

This profile SHOULD be used to provide a response to a security breach or incident. This MAY also be used to convey information about an incident that is unrelated to the issuing party's own products or infrastructure.

For consumers of such CSAF documents, I would expect that this information about impact on issuers own products/services is useful to dictate how this CSAF document is displayed in CSAF viewers or prioritized in CSAF management systems.

Therefore I suggest to add an optional machine-readable value in Profile 2 entitled affects_issuing_party (or similar) with two valid values:

yes no

tschmidtb51 commented 1 month ago

Do you envision to use that option also in other profiles? How would I communicate that it is still unknown?

sonnyvanlingen commented 1 month ago

I think this adds the most value in Profile 2. For communicating the unknown status: I would be fine with introducing a value such as 'unknown' or 'under_investigation' too.