CfC: Adopt W3C Standards Vulnerability Disclosure & Handling Process and Policy as a Work Item

[simoneonofri]

W3C Team published W3C Security Disclosures Best Practices in 2017.

Given that the Security Interest Group manages security aspects of standardization with a focus on Threat Modeling, and to facilitate compliance with the EU Cyber Resilience Act for those who develop open source software, the deliverable should be adopted and updated with new security practices.

We discussed this briefly in our most recent IG meeting, with no objections raised. To ensure everyone has an opportunity to weigh in, this issue will serve as a record of the group's decision, one way or another. I've pre-populated this issue with both a 👍 and a 👎 to make collecting a signal from folks worldwide trivial. If you register discontent with the publication, please add a comment so we know what we can address to remove the concern.

Thanks! Please respond by 2025-05-08, at which point I'll close this CfC.

[jyasskin]

I'd like to see the group start to succeed on its initial and chartered deliverables before adding more work. There's not yet a draft for either threat model deliverable, right? The AI threat model also isn't even moved into a repository associated with this group yet, and there has been no progress on fixing its incorrect factual claims.

[jyasskin]

Further, after the confusion about the scope of the AI threat model, I think any new work based on a document needs a clear statement of the intended scope before we can decide to adopt it.

[simoneonofri]

Hi @jyasskin, thank you for your comments

I'd like to see the group start to succeed on its initial and chartered deliverables before adding more work. There's not yet a draft for either threat model deliverable, right?

For the TMG, we're working with @jandrieu, on a Google Docs so that it can then be published on GH.

For the TMW, we discussred with @SamuelSchlesinger on the fact that it might be useful to have a volunteer from the browser developer side on this.

The AI threat model also isn't even moved into a repository associated with this group yet, and there has been no progress on fixing its incorrect factual claims.

I will respond to this in the specific issue/PR (ops, reopened the relevant issue). In any case, I was waiting for feedback from @TomCJones and contacted the spec editor.

[simoneonofri]

Hi all,

In the meantime, I have updated the document

[innotommy]

Hi Jeffrey,

Thank you for raising these important concerns. I acknowledge that we are behind on our group deliverables, and we are making every effort to meet our commitments.

However, I'd like to explain why I believe adopting the W3C Standards Vulnerability Disclosure & Handling Process and Policy is essential at this time:

1. Foundational Nature: This document establishes the fundamental framework for how security vulnerabilities in W3C standards are disclosed and handled. It's not additional work competing with our threat modeling deliverables, but rather foundational infrastructure that supports all security-related work.

2. Community Enablement: By adopting this policy, we create a clear path for external contributors to report security issues in W3C standards. This directly supports our mission of delivering secure standards and ensuring the community can meaningfully contribute to security improvements.

3. Complementary to Current Work: Rather than distracting from our threat modeling deliverables (TMG and TMW), this policy actually provides the procedural framework that makes our threat modeling work more actionable.

Regarding scope: The document specifically covers vulnerability disclosure and handling processes for W3C specifications. I'm happy to work with the group to clearly define the boundaries and deliverables before we proceed.

For these reasons, I express my approval for adopting this document as a work item.