WARNING! Gitlab maintenance operation scheduled for Thursday, 18 June between 19:00 and 20:00 (CET). During this time window, short service interruptions (less than 5 minutes) may occur. Thank you in advance for your understanding.
@@ -440,14 +440,26 @@ The operating system can choose which thread to schedule based on factors such a
### 4.3.6 Vulnerability Handling
When a Product with Digital Element's core functions is not that of an operating system, and it contains an operating system, then the manufacturer of the operating system shall provide:
1. clear documentation of all essential security capabilities, and
1. unique, unambiguous, and machine-readable identification of all components of the operating system, including integrated third party components, in a format consistent with common vulnerability handling standards.
Providing this information enables the manufacturer of the PwDE which integrates the operating system to:
1. verify that the PwDE's forseeable use case can rely on appropriate security protections from the operating system, and
1. verify that the PwDE is free of known vulnerabilities at the time it is placed on the market, and
1. proactively monitor for the disclosure of new vulnerabilities in the operating system and its dependencies which might affect the security of the PwDE.
#### 4.3.6.1 General Vulnerability Handling
Operating Systems provide essential functionality for securely updating hardware and software products which integrate the operating system. Therefore, the manufacturer of the Operating System shall document and maintain a policy for handling vulnerabilities in accordance with <<NORMATIVEREFERENCETOPT3HERE>>.
For operating systems that rely on third-party open source software components, the manufacturer's vulnerability handling process should take into account <<INFORMATIVEREFERENCETOFIRSTGUIDANCEHERE>>. In particular, it should include:
1. recording of all third-party open source components by name, version, source location, and hash-based identifier;
1. proactive monitoring of external sources for vulnerability disclosure regarding the third-party open source components;
#### 4.3.6.2 Enabling Vulnerability Handling in Integrated Products
When Operating Systems are integrated into subsequent products in a supply chain, vulnerabilities in the operating system may have a particularly high impact on the security characteristics of the final product. Therefore, manufacturers of Operating Systems intended for integration in subsequent products have a responsibility to enable the vulnerability handling processes of manufacturers which depend upon them.
If an operating system's use cases support integration into subsequent products, then the manufacturer of the operating system shall provide:
1. clear documentation of all essential security capabilities which the operating system provides to the integrator, and
1. unique, unambiguous, and machine-readable identification of all components of the operating system, including third party components, in a format consistent with common vulnerability handling standards.
Providing this information enables the manufacturer which integrates the operating system to:
1. verify that the forseeable use of the final product can rely on appropriate security protections from the operating system, and
1. verify that the product, including components integrated in the operating system, is free of known vulnerabilities at the time it is placed on the market, and
1. proactively monitor for the disclosure of new vulnerabilities, including in the operating system and its components, which might affect the security of the final product.
