search

ossf / s2c2f

The S2C2F Project is a group working within the OpenSSF's Supply Chain Integrity Working Group formed to further develop and continuously improve the S2C2F guide which outlines and defines how to securely consume Open Source Software (OSS) dependencies into the developer’s workflow.
Other
167 stars 23 forks source link

What is the difference between SCA-5 and FIX-1? #12

Closed reggiechen31 closed 12 months ago

reggiechen31 commented 1 year ago

What is the difference between SCA-5 and FIX-1? The Benefit for SCA-5: Identify zero-day vulnerabilities and confidentially contribute fixes back to the upstream maintainer. But the FIX-1: To be used only in extreme circumstances when the risk is too great and to be used temporarily until the upstream maintainer issues a fix.

reggiechen31 commented 1 year ago

@adriandiglio Could you answer my question please? thanks

adriandiglio commented 1 year ago

HI @reggiechen31 ! Thanks for the question :)

SCA-5 requirement is simply that your organization is performing proactive security reviews of OSS and helping improve the security of the entire ecosystem by partnering with the upstream maintainer (confidentially - outside of public GitHub issues via private security notifications) and suggesting a fix. FIX-1 is when you come across a zero-day vulnerability that is so severe that your organization feels that they can't wait for the upstream maintainer to issue a public fix. The only other action would be to implement a private fix (just for your team/organization) while you continue trying to partner with the upstream maintainer on a public fix. A private fix should always be considered a temporary risk reduction measure for extreme circumstances, as your team/organization should plan to convert to the public fix once available.

I hope that helps!

jasminewang0 commented 12 months ago

Folded into new FAQ