Status message

A Cyber Resilience Practices Creation Review has been created for this proposal.

Cyber Resilience Practices

Wednesday, November 13, 2024 - 10:15 by Tobie Langel
Basics
This proposal is in the Project Proposal Phase (as defined in the Eclipse Development Process) and is written to declare its intent and scope. We solicit additional participation and input from the community. Please login and add your feedback in the comments section.
Is this a specification project?
Eclipse Open Regulatory Compliance Working Group
Patent License
Implementation Patent License
Parent Project
Eclipse Technology
Proposal State
Community Review
Background

The Eclipse Foundation has recently launched the Open Regulatory Compliance Working Group (ORC WG). This working group brings together key stakeholders from industry, small and medium enterprise (SME), research, and open source foundations to help address new government regulations impacting open source communities through education, thought leadership, engaging with relevant institutions, and developing specifications.

One of the initial focuses of the ORC WG is to help open source communities and the broader tech industry better understand and prepare to meet the compliance requirements of the European Cyber Resilience Act (CRA) and of similar upcoming legislation in other jurisdictions. To do so, the ORC WG has created the Cyber Resilience Special Interest Group (SIG). This SIG has identified a set of specifications that are required to further its mission. The intention is for the Cyber Resilience Practices Project to host these specifications and develop them with guidance from the SIG.

Initial work will focus on implementing the specifications defined by the SIG’s 2025 Deliverables Plan, including:

  • Vulnerability Handling;
  • Security Policy for Open Source Software Stewards;
  • Principles for Cyber Resilience for Open Source Development; and
  • Generic Security Requirements for Open Source Components.

This Vulnerability Handling specification will be created first.

Scope

Cyber Resilience Practices provides specifications designed to support compliance with global legislation aimed at enhancing cyber resilience.

Description

The Cyber Resilience Practices Project develops specifications designed to help improve the cyber resilience of open source projects and of the products that incorporate these projects and facilitate compliance with related regulation worldwide.

The first specification to be developed by this project is the Vulnerability Handling Specification.

The Vulnerability Handling Specification focuses on vulnerability management for products with digital elements, as outlined by the Essential Requirements of the CRA. It details the necessary components of a vulnerability handling policy, including procedures for receiving reports, resolving issues, and disclosing vulnerabilities. Additionally, it specifies the requirements for managing vulnerable dependencies.

Licenses
Apache License, Version 2.0
Creative Commons Attribution 4.0 (International) License
Legal Issues

No known legal issues.

Why Here?

An Eclipse Foundation Project is the logical home to develop specifications for Eclipse Foundation working groups.

Future Work

The project plans to continue addressing industry and community needs related to cyber resilience as they arise with the goal of continuously improving the cyber resilience of open source projects.

Project Scheduling

The project scheduling is still in the planning phase as it requires careful coordination with the institutions.

People
Project Leads
Mikaël Barbero
Committers
Mikaël Barbero
Marta Rybczynska
Tobie Langel
Source Code
Initial Contribution

The initial contribution consists of an initial draft of the Vulnerability Handling specification in Markdown format.

Source Repository Type
GitHub
Source Repositories
https://github.com/mbarbero/vuln-mgmt-spec