https://github.com/ossf/wg-vulnerability-disclosures/issues/125
This video leaves me questioning where Microsoft stands on OpenVEX. Art Manion's, description of the CISA process is worth listening to: https://youtu.be/oZO3rg9mL1w?t=1102 The entire segment is also very insightful. https://www.youtube.com/watch?v=oZO3rg9mL1w <https://www.youtube.com/watch?v=oZO3rg9mL1w&t=915s> &t=915s I presume that people understand a VEX is a "negative security advisory", listing all the products which ARE NOT AFFECTED by a vulnerability, which is the opposite of a Security Advisory that lists product which ARE AFFECTED by a vulnerability. Thanks, Dick Brooks Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council - A Public-Private Partnership <https://reliableenergyanalytics.com/products> Never trust software, always verify and report! T <http://www.reliableenergyanalytics.com/> http://www.reliableenergyanalytics.com Email: <mailto:[email protected]> [email protected] Tel: +1 978-696-1788 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#5031): https://lists.spdx.org/g/Spdx-tech/message/5031 Mute This Topic: https://lists.spdx.org/mt/97500562/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
