Hi all, After lots of discussions at some of our Open Office hours, at the Cauldron, with other Software Freedom organizations and some of our hardware and services providers we now have a Sourceware Cyber Security FAQ explaining topics like the "US Improving the Nation's Cybersecurity Executive Order 14028", "EU Cyber Resilience Act (EU CRA)" and "Secure Software Development Framework (NIST SP 800-218)".
https://sourceware.org/cyber-security-faq.html We would like to extend this with some recommended practices for projects to adopt. Although it is clear that these regulations are mainly aimed at commercial entities, who bear the brunt of these requirements. We believe this is an opportunity for projects to get more (corporate) contributions since these guidelines and requirements strongly suggest/mandate to make all their work public and contribute (security issues) back upstream. So any policies documenting how to clearly report issues and documenting the contributing and release practices should be helpful. Please let us know if you have any questions or suggestions. Cheers, Mark Wielaard (for the Sourceware PLC) https://sourceware.org/mission.html#plc
