Johannes, If that community does not have a CNA with it in their scope, it is open for assignment. Sometimes it is easier to have a Root CNA assign for that under the CVE Services. Just note that as the CNA, everyone can / should come back to you for the updates and the CNA vulnrichment will come back to your CNA. Pete PS I am on the CVE Board.
On Mon, Jan 27, 2025 at 11:13 AM Johannes Segitz <jseg...@suse.de> wrote: > On Sat, Jan 25, 2025 at 01:24:36AM +0000, Mark Esler wrote: > > On Wed, Jan 22, 2025 at 03:18:10PM +0100, Johannes Segitz wrote: > > > We're not empowered to do this. We are a CNA for code that we own (e.g. > > > zypper), but not for arbitrary open source projects. > > > > The text of SUSE's scope [0] is similar to Canonical's [1]. We > > understand "All Canonical issues (including Ubuntu Linux) only" as > > including all software we distribute. It does not require us to be the > > author of that code. > > Interesting. I'll reach out to MITRE to clarify this and will report back > (might take a while, I'll be away for some weeks starting tomorrow). When I > was introduced to this > 10 years ago I was told not to allocate for > anything for which we're not clearly upstream. > > Johannes > -- > GPG Key EE16 6BCE AD56 E034 BFB3 3ADD 7BF7 29D5 E7C8 1FA0 > Subkey fingerprint: 250F 43F5 F7CE 6F1E 9C59 4F95 BC27 DD9D 2CC4 FD66 > SUSE Software Solutions Germany GmbH, Frankenstraße 146, 90461 Nürnberg, > Germany > Geschäftsführer: Ivo Totev, Andrew McDonald, Werner Knoblich (HRB 36809, > AG Nürnberg) >
