On Wed, Jan 22, 2025 at 12:50:21PM +0100, Greg KH wrote: > But this topic has come up recently in talking with other open source > CNA groups. The "real" solution for it is to talk to a different root > CNA (i.e. anyone other than MITRE). For open source projects, that > _should_ be Red Hat, but I don't know if they yet have a simple way to > ask for stuff like this, other than the back-channel you probably used > last time. I think RH is working to codify this somehow, but I can't > speak for them.
We considered this and might go this route, but this is mostly for embargoed issues. For more important vulnerabilities we share them via (linux-) distros, but it would be IMHO kind of weird to request CVEs for non-public vulnerabilities from RH. > Or, better yet, as SUSE is a CNA, why not just assign CVE ids yourself, > as part of the "open source projects affected in a SUSE product that are > not covered by any other CNA" rules. Doesn't your CNA charter allow you > to do this now? We're not empowered to do this. We are a CNA for code that we own (e.g. zypper), but not for arbitrary open source projects. Johannes -- GPG Key E7C81FA0 EE16 6BCE AD56 E034 BFB3 3ADD 7BF7 29D5 E7C8 1FA0 Subkey fingerprint: 250F 43F5 F7CE 6F1E 9C59 4F95 BC27 DD9D 2CC4 FD66 SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 Nuernberg Geschäftsführer: Felix Imendörffer (HRB 36809, AG Nürnberg)
signature.asc
Description: Digital signature
