From bca1c50f86b515f0f78bc9fea6c77ea50680fc9f 2024-02-02 06:16:55 From: Denver Gingerich Date: 2024-02-02 06:16:55 Subject: [PATCH] usethesource: fix plurality of OSPO abbr in CCIRT --- diff --git a/conservancy/usethesource/templates/usethesource/ccirt_process.html b/conservancy/usethesource/templates/usethesource/ccirt_process.html index d5be1761d2e62e6dc34dbe140e824420c4073816..c096c402e588ca444b28d64a4381cd97751d9442 100644 --- a/conservancy/usethesource/templates/usethesource/ccirt_process.html +++ b/conservancy/usethesource/templates/usethesource/ccirt_process.html @@ -9,7 +9,7 @@

We at SFC are providing an opportunity for companies who want to be notified of source candidates of theirs that we plan to post to Use The Source to provide us with the email address of their Copyleft Compliance Incident Response Team (CCIRT), which we will email when we receive a new source candidate for the company that we plan to post. If we have a CCIRT email address on a file for a given company, we will email this address if we receive a source candidate from that company, and then wait at least 7 days for a reply - if an updated candidate is received, we will post that, otherwise we will post the candidate that we notified the CCIRT team about as-is.

-

As discussed in our [FIXME: link] blog post, the CCIRT is an important part of an organization's OSPO or cybersecurity team. SFC hopes that companies will treat any reports from SFC with the same urgency as any security vulnerabilities they are made aware of, since failure to provide complete source code severely impedes users' and third party repair companies' ability to fix them.

+

As discussed in our [FIXME: link] blog post, the CCIRT is an important part of an organization's OSPO or cybersecurity team. SFC hopes that companies will treat any reports from SFC with the same urgency as any security vulnerabilities they are made aware of, since failure to provide complete source code severely impedes users' and third party repair companies' ability to fix them.

Based on our decades of GPL compliance experience, we expect that many of the source code candidates we receive from the public will be incomplete. SFC cannot immediately validate nor invalidate any of those claims due to the vast number of devices on the market. But we are willing to engage with companies' CCIRTs so they have a chance to (re-)review these candidates if they wish, before SFC publishes them.