Reviews run for a minimum of one week. The outcome of the review is decided on this date. This is the last day to make comments or ask questions about this review.
Cyber Resilience Practices
The Eclipse Foundation has recently launched the Open Regulatory Compliance Working Group (ORC WG). This working group brings together key stakeholders from industry, small and medium enterprise (SME), research, and open source foundations to help address new government regulations impacting open source communities through education, thought leadership, engaging with relevant institutions, and developing specifications.
One of the initial focuses of the ORC WG is to help open source communities and the broader tech industry better understand and prepare to meet the compliance requirements of the European Cyber Resilience Act (CRA) and of similar upcoming legislation in other jurisdictions. To do so, the ORC WG has created the Cyber Resilience Special Interest Group (SIG). This SIG has identified a set of specifications that are required to further its mission. The intention is for the Cyber Resilience Practices Project to host these specifications and develop them with guidance from the SIG.
Initial work will focus on implementing the specifications defined by the SIG’s 2025 Deliverables Plan, including:
- Vulnerability Handling;
- Security Policy for Open Source Software Stewards;
- Principles for Cyber Resilience for Open Source Development; and
- Generic Security Requirements for Open Source Components.
This Vulnerability Handling specification will be created first.
Cyber Resilience Practices provides specifications designed to support compliance with global legislation aimed at enhancing cyber resilience.
The Cyber Resilience Practices Project develops specifications designed to help improve the cyber resilience of open source projects and of the products that incorporate these projects and facilitate compliance with related regulation worldwide.
The first specification to be developed by this project is the Vulnerability Handling Specification.
The Vulnerability Handling Specification focuses on vulnerability management for products with digital elements, as outlined by the Essential Requirements of the CRA. It details the necessary components of a vulnerability handling policy, including procedures for receiving reports, resolving issues, and disclosing vulnerabilities. Additionally, it specifies the requirements for managing vulnerable dependencies.
No known legal issues.
An Eclipse Foundation Project is the logical home to develop specifications for Eclipse Foundation working groups.
The project plans to continue addressing industry and community needs related to cyber resilience as they arise with the goal of continuously improving the cyber resilience of open source projects.
The project scheduling is still in the planning phase as it requires careful coordination with the institutions.
The initial contribution consists of an initial draft of the Vulnerability Handling specification in Markdown format.
- Log in to post comments
The Cyber Resilience Practices Project develops specifications designed to help improve the cyber resilience of open source projects and of the products that incorporate these projects and facilitate compliance with related regulation worldwide.
- Log in to post comments
Vulnerability reporting requirements within procurement practice
Submitted by Dick Brooks on Tue, 03/11/2025 - 08:48
Two types of machine readable vulnerability reporting have been used extensively to communicate with customers with affected products.
Both implicit and explicit options of VDR/VAR have open source, free to use machine readable formats available for use that follow NIST SP 800-161r1 RA5 data requirements
Th US Government has created a SCRM best practices guide that guides government agencies in acquiring trustworthy software products, which contains a section on Vulnerability Management expectations following NIST Guidance from product suppliers; CISA Secure by Design Software Acquisition Guide link