Closed reggiechen31 closed 12 months ago
@adriandiglio Could you answer my question please? thanks
HI @reggiechen31 ! Thanks for the question :)
SCA-5 requirement is simply that your organization is performing proactive security reviews of OSS and helping improve the security of the entire ecosystem by partnering with the upstream maintainer (confidentially - outside of public GitHub issues via private security notifications) and suggesting a fix. FIX-1 is when you come across a zero-day vulnerability that is so severe that your organization feels that they can't wait for the upstream maintainer to issue a public fix. The only other action would be to implement a private fix (just for your team/organization) while you continue trying to partner with the upstream maintainer on a public fix. A private fix should always be considered a temporary risk reduction measure for extreme circumstances, as your team/organization should plan to convert to the public fix once available.
I hope that helps!
Folded into new FAQ
What is the difference between SCA-5 and FIX-1? The Benefit for SCA-5: Identify zero-day vulnerabilities and confidentially contribute fixes back to the upstream maintainer. But the FIX-1: To be used only in extreme circumstances when the risk is too great and to be used temporarily until the upstream maintainer issues a fix.