-
Notifications
You must be signed in to change notification settings - Fork 40
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #816 from oasis-tcs/2024-07-31
Meeting Minutes for 2024-07-31
- Loading branch information
Showing
1 changed file
with
69 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,69 @@ | ||
|  | ||
|
|
||
| # Common Security Advisory Framework (CSAF) Technical Committee Working Meeting | ||
|
|
||
| - Meeting Date: July 31, 2024 | ||
| - Time: 17:00 UTC (19:00 CEST, 13:00 EDT, 10:00 PDT) | ||
|
|
||
| ## Call to Order and Welcome | ||
|
|
||
| Meeting called to order @ 17:03 UTC | ||
|
|
||
| ## Roll call | ||
| Inability to register attendees due to OASIS system challenges. | ||
|
|
||
| ## Participants | ||
|
|
||
| | Given Name | Family Name | Affiliation | Role | | ||
| |:-----------|:------------|:------------------------------------------------------------|:--------------| | ||
| | Christoph | Plutte | Ericsson | Voting Member | | ||
| | Denny | Page | Individual | Voting Member | | ||
| | Dina | Truxius | Federal Office for Information Security (BSI) | Voting Member | | ||
| | Feng | Cao | Oracle | Voting Member | | ||
| | JD | Stefaniak | Dell | Member | | ||
| | Justin | Murphy | DHS Cybersecurity and Infrastructure Security Agency (CISA) | Voting Member | | ||
| | Michael | Reeder | Dell | Voting Member | | ||
| | Omar | Santos | Cisco | Chair | | ||
| | Rhonda | Levy | Cisco | Voting Member | | ||
| | Sonny | van Lingen | Huawei Technologies Co., Ltd. | Voting Member | | ||
| | Stefan | Hagen | Individual | Voting Member | | ||
| | Thomas | Schaffer | Cisco | Voting Member | | ||
| | Thomas | Schmidt | Federal Office for Information Security (BSI) | Voting Member | | ||
| | Vivek | Nair | Microsoft | Voting Member | | ||
| | Tobi | Limmer | Siemens | Voting Member | | ||
|
|
||
| ### Observers present | ||
|
|
||
| Note: Observers of this committee that are ready to become Members should follow the specific instructions displayed the OASIS Open Notices tab. | ||
|
|
||
| ## Agenda | ||
|
|
||
| - Roll call cannot be done automatically, we will approve meeting minutes via email. | ||
| - Updates about other OASIS projects | ||
| - Review GitHub Issues for TC Discussion: https://github.com/oasis-tcs/csaf/issues | ||
| - Discuss next steps. | ||
| - Adjourn | ||
|
|
||
|
|
||
| ## Meeting Notes | ||
|
|
||
| - The voting process has been streamlined via email, allowing work items to be discussed and addressed during the call. | ||
| - Omar introduced the [Coalition for Secure AI (CoSAI)](https://www.coalitionforsecureai.org/) has gained significant momentum with many new members joining since its launch. The coalition focuses on AI security governance, incident response, and supply chain security. | ||
| - Discussed open issues marked for TC discussion. All of the motions and follow ups will be done via email. | ||
| - The pull request #761 on the CSAF GitHub repository proposes several changes: | ||
| - The term `scores` is changed to `metrics` to better align with the intended use and context. | ||
| - New Level Addition: A new level called `content` is introduced to group scores (now metrics). | ||
| - Optional Property: A `source` property is added as an optional field, formatted as a URI. This provides a way to include the URL of the source that originally determined the `metric`. | ||
| - These changes are part of addressing issues #754, #341, and #624, and they aim to improve the clarity and structure of CSAF by refining terminology and adding useful metadata. | ||
| - We also discussed the proposal to enable consumers to differentiate between system advisories with actions required and informational advisories with no actions expected. Voting will be done via email. All of the emails and motions [are available here](https://groups.oasis-open.org/communities/community-home/digestviewer?communitykey=dfd6f6ef-b478-4686-baed-018dc7d3f240). | ||
| - There was a discussion about issues and pull requests, with Thomas highlighting the need to address the SSVC. | ||
| - The inclusion of SSVC into CSAF is strongly endorsed by multiple participants, as it would be helpful for assessments and decision-making. | ||
| - SSVC is prioritizing vulnerabilities that have been exploited and have a technical impact on the organization. | ||
| - _Addendum (after the meeting): Issue https://github.com/oasis-tcs/csaf/issues/803 was opened to continue the conversation. Additional references [here](https://github.com/oasis-tcs/csaf/issues/803#issuecomment-2441988277)._ | ||
|
|
||
| ## Adjourn | ||
|
|
||
| - The meeting was adjourned @ 18:00 UTC | ||
|
|
||
| **Note**: All monthly meetings take place on the last Wednesday of each month at 13:00 EDT (17:00/18:00 UTC). | ||
|
|