Thanks Andreas - I'll be reviewing those with the committee. We have had discussion on those topics - just haven't reached consensus yet. /chet On Thu, May 21, 2020 at 5:08 PM Andreas Kuehne <
kuehne@trustable.de > wrote: Hi Chet, see my comments in Policy document. My major topic is that the complexity of a violnerability of standard (compared with a software flaw) is not addressed: - Who are the stakeholders? - How to contact them? - How to avoid unintended full disclosure by informing vulnerabilty traders? Greetings, Andreas > Andreas, this is really interesting. We have two documents right now: > > - The Vulnerability Handling and Disclosure Policy at >
https://docs.google.com/document/d/1Vx-ul_MTenguAmFZKnMS89yEu1YMbvRenJGk0D7N3KI/edit#heading=h.7m6wq9expm3e > > - The Vulnerability Handling and Disclosure Process at >
https://docs.google.com/document/d/1qxp3EMq8KKq84smrAFyWlnL87oOrPj-kT9dxefjk5Pc/edit#heading=h.7m6wq9expm3e > - > the Process is the document that we'll put on the OASIS public pages to > guide researchers who want to report findings. > > With the link, you can comment. You will see that we have had a lot of > feedback already from members of the Open Projects Advisory Council. Feel > free to add comments if you'd like. The Board Process Committee is > reviewing these now with the intention to send these to the full Board for > review soon. > > So, I want to be sure I understand your situation. I looked at the page on > the Mitre site and I don't get a result for CVE-2020-13101. I see results > for 2019- and 2018-. For 2020- I found "** RESERVED ** This candidate has > been reserved by an organization or individual that will use it when > announcing a new security problem. When the candidate has been publicized, > the details for this candidate will be provided." Is it the TC that made > the reservation? > > Assuming that's the case: that you all discovered a vulnerability, > addressed it, and have reserved the identifier, can you tell me the story? > How did you find out about it, how did you deal with it, etc. etc. This is > a great education for me (and the rest of the committee I'm sure) and can > help me make sure we are putting the right things in place. > > In terms of where to post the notice, that is a great question. I had not > thought about that in detail. Your suggestion makes perfect sense - a link > on the download section and a reference one the TC's home page. We may wind > up needing a Vulnerabilities list somewhere on the OASIS site but for now, > notice on the TC page may be enough. > > In any case, thanks - I'm looking forward to hearing more details. > > /chet > > > On Mon, May 18, 2020 at 11:14 AM Andreas Kuehne <
kuehne@trustable.de > wrote: > >> Hi Chet, >> >> We (the Board Process Committee to be precise) is working on a process >> document now. I'm happy to share the working draft if you'd like to review >> it. >> >> great! Would be a please or me to do a review! >> >> When you say "file it officially," do you mean that the TC has already >> developed the fix and that you want to announce it in one of the >> vulnerability databases? >> >> Yes, the new version of the DSS-X core does not include the option for the >> attack. And it is pretty forward for users of the version 1 to avoid these >> probems. Just reject the 'inline XML' data transfer option. >> >> I thought of a warning iin the download section loke this >> >> and a corresponding hint on the TC home page. >> >> The vulnerability has the identifier CVE-2020-13101 assigned. >> >> >> Greetings, >> >> >> Andreas >> >> /chet >> >> On Sun, May 17, 2020 at 12:46 PM Andreas Kuehne <
kuehne@trustable.de > <
kuehne@trustable.de > wrote: >> >> >> Hi Chet, >> >> >> we already discussed the topic soe time ago: The DSS core V1.0 has a >> vulnerability and we like to file it officially. Is there an official >> OASIS process for it? If not, I would suggest that we add a remark >> including the link to the explaination & mitigation document and the CVE >> at a prominent place on the TC home page and at the standards download >> section. >> >> >> Gretings, >> >> >> Andreas >> >> -- >> Andreas KÃhne >> >> Chair of OASIS DSS-X >> >> phone: +49 177 293 24 97 >> mailto:
kuehne@trustable.de >> >> Trustable Ltd. Niederlassung Deutschland Gartenheimstr. 39C - 30659 >> Hannover Amtsgericht Hannover HRB 212612 >> >> Director Andreas KÃhne >> >> Company UK Company No: 5218868 Registered in England and Wales >> >> >> >> >> >> -- >> Andreas KÃhne >> >> Chair of OASIS DSS-X >> >> phone: +49 177 293 24 97 >> mailto:
kuehne@trustable.de >> >> Trustable Ltd. Niederlassung Deutschland Gartenheimstr. 39C - 30659 Hannover Amtsgericht Hannover HRB 212612 >> >> Director Andreas KÃhne >> >> Company UK Company No: 5218868 Registered in England and Wales >> >> -- Andreas KÃhne Chair of OASIS DSS-X phone: +49 177 293 24 97 mailto:
kuehne@trustable.de Trustable Ltd. Niederlassung Deutschland Gartenheimstr. 39C - 30659 Hannover Amtsgericht Hannover HRB 212612 Director Andreas KÃhne Company UK Company No: 5218868 Registered in England and Wales -- /chet ---------------- Chet Ensign Chief Technical Community Steward OASIS: Advancing open source & open standards for the information society
http://www.oasis-open.org Mobile: +1 201-341-1393