You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: spec.md
+14-7Lines changed: 14 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -32,6 +32,8 @@ A Coordinated Vulnerability Disclosure is a way of disclosing a Vulnerability in
32
32
33
33
A Coordinator is a person or organization that coordinates communication and disclosure between multiple parties including Researchers and Organizations.
34
34
35
+
A Security Advisory is a publication indicating a certain version range of a certain product contains a vulnerability. Such an advisory is commonly published by the Organization as the result of the Coordinated Vulnerability Disclosure process, but may also be published by third parties.
36
+
35
37
## Vulnerability Reporting Policy
36
38
37
39
An Organization MUST have a method to deal with vulnerability reports, resolution of issues and distribution of fixes, mitigations, or information.
@@ -70,7 +72,7 @@ If the Organization is distributing software in the binary form, the software MU
70
72
71
73
## Vulnerability sources
72
74
73
-
Organizations accept vulnerabilities from multiple sources and they MUST accept vulnerability reports from external and internal Researchers. If it does trace Vulnerabilities in dependencies using SBOM, it MUST also accept reporting from automatic tools.
75
+
Organizations accept vulnerability reports from multiple sources. They MUST accept vulnerability reports from external and internal Researchers.
74
76
75
77
### External reporting
76
78
@@ -82,17 +84,13 @@ If an Organization is hosting multiple software Products, they MAY have specific
82
84
83
85
Organizations MUST apply the same processes for internal and external vulnerability reporting.
84
86
85
-
### Automated reporting
86
-
87
-
Organizations SHOULD trace disclosed vulnerabilities in dependencies.
88
-
89
87
## Vulnerability handling inside an organization
90
88
91
89
Organizations MUST clearly assign potential vulnerability management to a group or individuals.
92
90
93
91
All Vulnerabilities MUST be resolved: either fixed, or mitigated, or documented. The resolution time depends on the vulnerability type, but it MUST be reasonable.
94
92
95
-
If during the analysis the organization finds out that the cause of a Vulnerability is located in a product that is a dependency, the Organization MUST report the Vulnerability to the upstream project, using one of their official vulnerability reporting channels. The communication between multiple Organizations follows the rules of Coordinated Vulnerability Handling and Disclosure.
93
+
If during the analysis the Organization finds out that the cause of a Vulnerability is located in a dependency, the Organization MUST report the Vulnerability to the upstream project, using one of their official vulnerability reporting channels. The communication between Organizations follows the rules of Coordinated Vulnerability Handling and Disclosure.
96
94
97
95
In case if the upstream Organization does not provide a fix in a reasonable timeline, the Organization MAY provide a fix or a mitigation.
98
96
@@ -108,7 +106,7 @@ In case of such a multi-party vulnerability handling, all parties SHOULD agree o
108
106
109
107
## Vulnerability publication
110
108
111
-
The Organization MUST publish all resolved vulnerabilities. Each Organization MUST publish a list of all publicly known Vulnerabilities in their products. This publication SHOULD happen on a web page and SHOULD offer a machine-readable version.
109
+
The Organization MUST publish a Security Advisory for each resolved vulnerability in their own product, and publish a list of these advisories. This publication SHOULD happen on a web page and SHOULD offer a machine-readable version.
112
110
113
111
The publication of the list of known Vulnerabilities takes a form of a list of their identification (one or multiple ones) and at least one link to a public resource describing this Vulnerability (at least the affected product and versions, affected configurations and a general description) and SHOULD include an estimation of severity of the Vulnerability. The Organization MAY include additional information.
114
112
@@ -118,6 +116,15 @@ This information SHOULD also available in machine-readable format.
118
116
119
117
For higher severity Vulnerabilities, the Organization SHOULD also publish an advisory containing information regarding affected configurations, possible mitigations and all information considered useful for users of the Product.
120
118
119
+
## Advisories for dependencies
120
+
121
+
Organizations SHOULD trace Security Advisories for dependencies.
122
+
They MAY leverage SBOMs for this purpose.
123
+
They MAY use their vulnerability handling process for these potential issues.
124
+
125
+
Organizations MAY publish a statement on a web page specifying whether advisories for 3rd-party dependencies affect their product.
126
+
If so, they SHOULD provide a machine-readable version.
0 commit comments