wg-vulnerability-disclosures
wg-vulnerability-disclosures copied to clipboard
ossf
List of vulnerability disclosure standards
This issue is a result of the discussion started in #53 and continued in the WG meeting on October 26, 2020.
The goal is to create a list of industry standards relevant to OSS vulnerability disclosure processes, starting with:
- CVE
- In particular: the JSON schema
- CVSS
- CVRF / CSAF
We should probably also be looking at "adjacent" standards and evaluate how well they work in OSS context:
- CPE
- SWID tags
- PURL
- SCAP family of specifications
- SBoM standards
- SPDX
- CycloneDX
I imagine we could focus on creating a document that explains where those standards come into play, and what are their strengths and weaknesses in the OSS context.
Creating such a doc would be great and would allow us to have a better discussion during the meetings, as I imagine not everyone know/worked with all of them. Should this doc be in the repo or something like gDocs?
I think my preference would be a Markdown file here in this repo (we could discuss in a PR), but I am open to suggestions!
After the initial documentation is done we could also try figure out which providers use which format as a form of example.
Do you mean organizations such as Linux distros that might handle disclosure for upstream OSS software?
Right, that was another thing we should document. But I was more thinking of pointing at which standard are in use where. As an example Red Hat uses CVRF 1.2 loosely converted to json. It might be handy to have such things mentioned for implementation purposes.
For documenting disclosure procedures we can maybe open another issue?
I think that would be a separate issue. Data formats will likely be a part of that, but there's also a process component.
I did an attempt to document CSAF CVRF version 1.2 in #72 . Let me know what you think on the content and format and we can iterate on it.
Let me know if anyone needs clarification on how CycloneDX handles this. In short, it supports disclosure and remediation use cases. I gave a presentation to the NTIA VEX subgroup last month on this topic.
@stevespringett would you be interested in attending one of the WG meetings and telling us more about it? I am very curious myself.
@stevespringett do you want to join this Monday (11/16) or the next one? I will find some time on the agenda on the date that is convenient for you.
@MarcinHoppe Sure, I can join this Monday. I have a recurring conflict that cuts into the first 30 minutes of the meeting, but I can attend the second half of the meeting. Would likely take about 20 min or so.
@stevespringett Great! I will slate your presentation in the second half of the meeting.
Can we add SARIF to above list, as it came up in another thread.
https://www.oasis-open.org/committees/sarif/charter.php https://docs.oasis-open.org/sarif/sarif/v2.0/sarif-v2.0.html
We we drill down into personas and use cases, it would be great to map existing standards to those.
Note: In the meeting today, we discussed that users of the document would typically not care about many of these. If you disagree, let's talk!
