What is the scope of the spec?

[tobie]

Is the scope any organization managing vulnerabilities in any kind of products or is it focused on vulnerabilities affecting open source projects and the organizations managing those open source projects?

[mrybczyn]

The main scope was an open source organization/project, but from my view it applies exactly the same way to many types of companies.

[tobie]

Agreed, but do we have the right stakeholders around the table to attempt such a broader scope?

[tobie]

Having thought this through, for consistency with the rest fo our work, our scope, the nature of our stakeholders, and our ability to execute, I believe we should scope this specs to open source projects and their maintainers only. If other organizations like what they find here and what to adapt it to a broader or different scope, the licensing terms absolutely allows them to do so.