FYI:
SPDX V 2.3 is already well aligned to support this vulnerability reporting legislation, if it passes. This also align with NIST Guidance on vulnerability reporting "Ensure that third-party suppliers continuously enrich SBOM data with a VAR" NOTE: NIST has renamed "Vulnerability Disclosure Report" (VDR) to "Vulnerability Advisory Report" (VAR) in SP 800-161r1-upd1 (RA-5) to better align with IEC 29147:2018, and avoid confusion with a "vulnerability report", which researchers create to report vulnerabilities. https://energycentral.com/c/iu/vulnerability-disclosure-policy-bill-federal- contractors-clears-senate-panel Thanks, Dick Brooks Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council - A Public-Private Partnership <https://reliableenergyanalytics.com/products> Never trust software, always verify and report! T Risk always exists, but trust must be earned and awarded.T <https://businesscyberguardian.com/> https://businesscyberguardian.com/ Email: [email protected] Tel: +1 978-696-1788 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#5793): https://lists.spdx.org/g/Spdx-tech/message/5793 Mute This Topic: https://lists.spdx.org/mt/109703996/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
