On 7/10/24 08:06, Pete Allor wrote:
Under CVE rules, Red Hat can only assign a CVE for issues within our scope, which for most CNAs means their software. RH has on occasion, provided a CVE for upstream projects which are not covered by another CNA. That is really about a coordination point between multiple parties.
But the scope of Red Hat's CNA explicitly includes all open source projects included in a Red Hat product: https://www.cve.org/PartnerInformation/ListofPartners/partner/redhat and many projects have been told to contact Red Hat to request CVEs over the years. I know I've requested and received many CVE's from the Red Hat CNA for security advisories issued by the X.Org Foundation - far more than "on occasion". -- -Alan Coopersmith- alan.coopersm...@oracle.com Oracle Solaris Engineering - https://blogs.oracle.com/solaris
