CSIRT identification for stewards
Guidance needed
Defining criteria which open-source software stewards (and open source maintainers) can rely on to identify which CSIRT they need to notify of actively exploited vulnerabilities or severe incidents.
Background
Article 17(4) explains the criteria manufacturers should use to identify their relevant CSIRT, but these criteria aren't easily applicable to stewards (or open source maintainers).
Why this matters
Stewards (and open source maintainers) shouldn't have to struggle to identify the right CSIRT and still be unclear about who to contact in case of an actively exploited vulnerabilities or severe incident.
ORC WG Recommendation
Providing a fallback with ENISA in case a Steward (or an open source maintainer) isn't able to easily indentify their CSIRT or struggles with language barriers would be benficial to the cyber resilience of the open source ecosystem and of the European Union.