The following test requirements need to be implemented:

• While active, the project documentation MUST publicly publish data about discovered vulnerabilities.
• While active, any vulnerabilities in the software components not affecting the project MUST be accounted for in a VEX document, augmenting the vulnerability report with non-exploitability details.

OSPS-VM-04