OpenVEX lively discussion underway on GitHub OpenSSF
|
https://github.com/ossf/wg-vulnerability-disclosures/issues/125
This video leaves me questioning where Microsoft stands on OpenVEX.
Art Manion’s, description of the CISA process is worth listening to:
https://youtu.be/oZO3rg9mL1w?t=1102
The entire segment is also very insightful.
https://www.youtube.com/watch?v=oZO3rg9mL1w&t=915s
I presume that people understand a VEX is a “negative security advisory”, listing all the products which ARE NOT AFFECTED by a vulnerability, which is the opposite of a Security Advisory that lists product which ARE AFFECTED by a vulnerability.
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership
Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@... Tel: +1 978-696-1788
|
|
|
