Vulnerability Handling and Disclosure Policy

Vulnerability Handling and Disclosure Policy #

Source: OASIS Vulnerability Handling & Disclosure Policy.

Overview #

This policy governs how OASIS committees and staff receive and respond to reports of potential vulnerabilities in OASIS standards and technical work. It ensures that staff and committee members understand their responsibilities when a vulnerability report is received, and provides clear procedures for handling such matters. In certain circumstances, this policy temporarily supersedes OASIS’s normal transparency requirements.

Key Definitions #

Vulnerability — Any element in a specification or technical implementation that could allow an implementation to be exploited.

Embargo period — The period during which a vulnerability remains confidential to allow solutions to be developed before public disclosure.

Executive Session — Closed meeting to address a vulnerability report without public disclosure.

Responsible Party — The individuals responsible for investigating and responding to a vulnerability report, typically the TC Administrator and chair, or Project Governing Board.

Vulnerability response team — People appointed to investigate and remediate a reported vulnerability.

Receiving Reports #

Staff and committee members must receive and act on vulnerability reports regardless of their initial assessment of feasibility. Reports may arrive through the Disclosure Process, committee communications, or personal contact.

When receiving a report, attempt to collect:

  • Name, version, and link to the affected standard or code
  • Severity assessment (low, medium, or high)
  • Description of the vulnerability and how it could be exploited
  • Known affected implementations
  • Steps to reproduce
  • Reporter contact information

Acknowledge receipt within 72 hours. Do not communicate vulnerability details through any publicly visible channel.

Notifying OASIS Staff and Responsible Parties #

After receiving a report, notify the responsible party through the Disclosure Process or alert OASIS staff. OASIS staff must be invited to all relevant meetings and must report regularly to the (Interim) ED and Board. Minutes are required but need not be published.

Confidentiality During Remediation #

Vulnerability details must not be shared through publicly visible channels at any stage prior to authorized disclosure. A secure, private team workspace is established for non-minor vulnerabilities. Staff should maintain professional conduct in all communications, recognizing that records may eventually become public.

Notifying Affected Stakeholders #

The responsible party determines when and how to notify stakeholders whose implementations may be affected. An embargo period may be established to allow stakeholders time to implement fixes before public disclosure. The (Interim) ED or Board may direct public disclosure if continued confidentiality presents unacceptable risk.

Forming a Vulnerability Response Team #

If a flaw is confirmed, the responsible party assembles a response team of committee members with relevant expertise. Outside experts, including the reporter, may be invited. OASIS can offer temporary no-cost membership to invited experts, who must sign the Membership Agreement.

Disclosure Timeline #

Within 90 days maximum, OASIS must make vulnerability information publicly accessible unless directed otherwise by the (Interim) ED, Board, or legal authority. Earlier disclosure may occur on appeal from responsible party members, stakeholders, or by legal demand.

Vulnerability Databases #

The responsible party — with OASIS staff assistance — determines whether to notify vulnerability databases including the NIST National Vulnerability Database, CVE, and CERT/CC.

OASIS commits to not pursuing or supporting legal action against researchers who disclose vulnerabilities through the proper process. OASIS cannot make this commitment on behalf of its membership.

Security Researcher Hall of Fame #

Following full execution of the disclosure procedures, OASIS may list researchers who submitted first-of-a-kind vulnerabilities on a Hall of Fame page. OASIS retains sole discretion over listings.