Open MarcinHoppe opened 3 years ago
dodys
commented
3 years ago Creating such a doc would be great and would allow us to have a better discussion during the meetings, as I imagine not everyone know/worked with all of them. Should this doc be in the repo or something like gDocs?
MarcinHoppe
commented
3 years ago I think my preference would be a Markdown file here in this repo (we could discuss in a PR), but I am open to suggestions!
Foxboron
commented
3 years ago After the initial documentation is done we could also try figure out which providers use which format as a form of example.
MarcinHoppe
commented
3 years ago Do you mean organizations such as Linux distros that might handle disclosure for upstream OSS software?
Foxboron
commented
3 years ago Right, that was another thing we should document. But I was more thinking of pointing at which standard are in use where. As an example Red Hat uses CVRF 1.2 loosely converted to json. It might be handy to have such things mentioned for implementation purposes.
For documenting disclosure procedures we can maybe open another issue?
MarcinHoppe
commented
3 years ago I think that would be a separate issue. Data formats will likely be a part of that, but there's also a process component.
esarafianou
commented
3 years ago I did an attempt to document CSAF CVRF version 1.2 in #72 . Let me know what you think on the content and format and we can iterate on it.
stevespringett
commented
3 years ago Let me know if anyone needs clarification on how CycloneDX handles this. In short, it supports disclosure and remediation use cases. I gave a presentation to the NTIA VEX subgroup last month on this topic.
MarcinHoppe
commented
3 years ago @stevespringett would you be interested in attending one of the WG meetings and telling us more about it? I am very curious myself.
stevespringett
commented
3 years ago Certainly @MarcinHoppe. I've added the invite to my calendar.
MarcinHoppe
commented
3 years ago @stevespringett do you want to join this Monday (11/16) or the next one? I will find some time on the agenda on the date that is convenient for you.
stevespringett
commented
3 years ago @MarcinHoppe Sure, I can join this Monday. I have a recurring conflict that cuts into the first 30 minutes of the meeting, but I can attend the second half of the meeting. Would likely take about 20 min or so.
MarcinHoppe
commented
3 years ago @stevespringett Great! I will slate your presentation in the second half of the meeting.
JasonKeirstead
commented
3 years ago Can we add SARIF to above list, as it came up in another thread.
https://www.oasis-open.org/committees/sarif/charter.php https://docs.oasis-open.org/sarif/sarif/v2.0/sarif-v2.0.html
MarcinHoppe
commented
3 years ago We we drill down into personas and use cases, it would be great to map existing standards to those.
david-a-wheeler
commented
3 years ago Note: In the meeting today, we discussed that users of the document would typically not care about many of these. If you disagree, let's talk!
This issue is a result of the discussion started in #53 and continued in the WG meeting on October 26, 2020.
The goal is to create a list of industry standards relevant to OSS vulnerability disclosure processes, starting with:
We should probably also be looking at "adjacent" standards and evaluate how well they work in OSS context:
I imagine we could focus on creating a document that explains where those standards come into play, and what are their strengths and weaknesses in the OSS context.