WARNING! Gitlab maintenance operation scheduled for Thursday, 18 June between 19:00 and 20:00 (CET). During this time window, short service interruptions (less than 5 minutes) may occur. Thank you in advance for your understanding.
@@ -444,10 +444,12 @@ The operating system can choose which thread to schedule based on factors such a
Operating Systems provide essential functionality for securely updating hardware and software products which integrate the operating system. Therefore, the manufacturer of the Operating System shall document and maintain a policy for handling vulnerabilities in accordance with <<NORMATIVEREFERENCETOPT3HERE>>.
For operating systems that rely on third-party open source software components, the manufacturer's vulnerability handling process should take into account <<INFORMATIVEREFERENCETOFIRSTGUIDANCEHERE>>. In particular, it should include:
For operating systems that rely on third-party open source software components, the manufacturer's vulnerability handling process shall include:
1. recording of all third-party open source components by name, version, source location, and hash-based identifier;
1. proactive monitoring of external sources for vulnerability disclosure regarding the third-party open source components;
This should be accomplished by implementing additional vulnerability handling steps according to common industry standards such as <<INFORMATIVEREFERENCETOFIRSTGUIDANCEHERE>>, and by relying on accepted standards for precise software identification, such as <<INFORMATIVEREFERENCETOPURLandSWHIDHERE>>.
#### 4.3.6.2 Enabling Vulnerability Handling in Integrated Products
When Operating Systems are integrated into subsequent products in a supply chain, vulnerabilities in the operating system may have a particularly high impact on the security characteristics of the final product. Therefore, manufacturers of Operating Systems intended for integration in subsequent products have a responsibility to enable the vulnerability handling processes of manufacturers which depend upon them.
