Re: [open-regulatory-compliance] Vulnerability Handling Task Force Meeti

[bashi@xxxxxxx]

I think a handbook would be much more accessible than a whitepaper, though one could inform the other.

Mat

On 1 July 2025 10:04:31 am GMT+02:00, Daniel Thompson-Yvetot via open-regulatory-compliance <open-regulatory-compliance@xxxxxxxxxxx> wrote:

I would go harder than “whitepaper”. A Steward Handbook.

With intro from the commission and preface from Maarten.

On Tue, 01 Jul 2025 at 09:50, Olle E. Johansson via open-regulatory-compliance <open-regulatory-compliance@xxxxxxxxxxx> wrote:

On 1 Jul 2025, at 09:33, Marta Rybczynska via open-regulatory-compliance <open-regulatory-compliance@xxxxxxxxxxx> wrote:

On Thu, Jun 19, 2025 at 7:07 PM Tobie Langel via open-regulatory-compliance <open-regulatory-compliance@xxxxxxxxxxx> wrote:

Hi all,

Please find the minutes for today's call here: https://github.com/orcwg/orcwg/blob/main/cyber-resilience-sig/minutes/vulnerability-handling-task-force/2025-06-19-mom-vulnerability-handling-tf.md

Please find the agenda for the next meeting (July 3) here: https://github.com/orcwg/orcwg/blob/main/cyber-resilience-sig/minutes/vulnerability-handling-task-force/2025-07-03-mom-vulnerability-handling-tf.md

As agreed during today's call, please use this email thread to discuss topics for potential TF deliverables.

Here are some possible topics that were raised:

• A document describing the role and obligations of stewards
• Best current practise for SBOM in open source projects
• Describing the relation between open source projects and manufacturers in regards to vuln management
  

Additionally, it might be worth getting acquainted with the deliverables plan as it contains a number of deliverables that might be interesting for this TF to get involved with or to drive.

Dear all,

I would like to propose a whitepaper the group can work on. According to my knowledge, no group (in ORC or otherwise) is working on this.

Proposal title: Open Source Software Stewards and CRA Whitepaper

Description:

The Cyber Resilience Act (CRA) defines a new category of organizations, Open Source Stewards (Stewards hereafter). It also defines obligations for them that are different from those of other categories like manufacturers.This whitepaper will aim at elaborating on the obligations, restrictions, and penalties that will be imposed to Stewards.

From the elaboration on the legal text, we will outline the missing pieces / documents / procedures that Stewards need to have to fulfil their obligations.

The goal is NOT to provide a definition or guidance about who is and who is not a steward for an Product with Digital Element qualifying as Open Source Software.

Opinions?

Brilliant idea!

/O

_______________________________________________
open-regulatory-compliance mailing list
open-regulatory-compliance@xxxxxxxxxxx
To unsubscribe from this list, visit https://accounts.eclipse.org