website Changeset - 5ed4be23d352 · Conservancy Kallithea

Changeset - 5ed4be23d352

Parent rev.

Child rev.

[Not reviewed]

0 1 0

Denver Gingerich - 3 months ago 2024-02-02 06:16:03
denver@ossguy.com

usethesource: fix end tag for OSPO abbr in CCIRT

1 file changed with 1 insertions and 1 deletions:

conservancy/usethesource/templates/usethesource/ccirt_process.html

0 comments (0 inline, 0 general)

conservancy/usethesource/templates/usethesource/ccirt_process.html

➞

Show inline comments

@@ ... / @@ -6,13 +6,13 @@ @@
   {{ block.super }}
   <h1>Timelines for CCIRT email submission and notifications</h1>
   <p>We at SFC are providing an opportunity for companies who want to be notified of source candidates of theirs that we plan to post to <a href="..">Use The Source</a> to provide us with the email address of their Copyleft Compliance Incident Response Team (CCIRT), which we will email when we receive a new source candidate for the company that we plan to post.  If we have a CCIRT email address on a file for a given company, we will email this address if we receive a source candidate from that company, and then wait at least 7 days for a reply - if an updated candidate is received, we will post that, otherwise we will post the candidate that we notified the CCIRT team about as-is.</p>
-  <p>As discussed in our [FIXME: link] blog post, the CCIRT is an important part of an organization's <abbr title="Open Source Programs Office">OSPO</a> or cybersecurity team.  SFC hopes that companies will treat any reports from SFC with the same urgency as any security vulnerabilities they are made aware of, since failure to provide complete source code severely impedes users' and third party repair companies' ability to fix them.</p>
+  <p>As discussed in our [FIXME: link] blog post, the CCIRT is an important part of an organization's <abbr title="Open Source Programs Office">OSPO</abbr> or cybersecurity team.  SFC hopes that companies will treat any reports from SFC with the same urgency as any security vulnerabilities they are made aware of, since failure to provide complete source code severely impedes users' and third party repair companies' ability to fix them.</p>
   <p>Based on our decades of GPL compliance experience, we expect that many of the source code candidates we receive from the public will be incomplete.  SFC cannot immediately validate nor invalidate any of those claims due to the vast number of devices on the market.  But we are willing to engage with companies' CCIRTs so they have a chance to (re-)review these candidates if they wish, before SFC publishes them.</p>
   <p>We are providing a 30-day window, starting on February 3, 2024 (and ending at 23:59 <abbr title="Anywhere on Earth">AoE</abbr> on March 4, 2024), in which companies can send us the email address of their CCIRT (to <a href="mailto:compliance@sfconservancy.org">compliance@sfconservancy.org</a> with Subject "CCIRT contact") so we can contact this team about any source candidates we receive, giving them 7 calendar days to confirm all potential copyleft licenses issues are resolved.  At the end of these 7 days, we will publish the updated source candidate (if we receive one), or the original (if no update is received).  If we have no contact registered, the source candidate will be published without any grace period following the initial 30-day window.</p>
   <p>After this initial 30-day window, companies can still send us the email address of their CCIRT and, after we receive this email address, we will give them 7 calendar days from the first notification of an incomplete source candidate to resolve the issue.  However, it is best for companies to let us know about their CCIRT before this 30-day window ends in case there are any pending source candidates to publish when that 30-day window ends.</p>

0 comments (0 inline, 0 general)