On Sat, Jun 07, 2025 at 04:53:07PM +0200, Bastian Blank wrote:
On Sat, Jun 07, 2025 at 10:37:12AM -0400, Sasha Levin wrote:
The scope, which I assume was quoted from
https://www.cve.org/PartnerInformation/ListofPartners/partner/Linux also
lists c...@kernel.org as the right email to contact.
This page also links as step one to
https://www.kernel.org/doc/html/latest/process/security-bugs.html, which
does _not_ list c...@kernel.org anywhere.
Hrm... Have you read through the doc?
Note that this isn't just a technicality: for example, I'm a member of
cve@k.o, but *NOT* of security@k.o.
But it already reached the right organisation. Did security@k.o respond
with a referal?
security-bugs.html which you've linked contains information about the
CVE process and answers your question:
CVE assignment
The security team does not assign CVEs, nor do we require them
for reports or fixes, as this can needlessly complicate the
process and may delay the bug handling. If a reporter wishes to
have a CVE identifier assigned for a confirmed issue, they can
contact the kernel CVE assignment[1] team to obtain one.
[1] https://www.kernel.org/doc/html/latest/process/cve.html
--
Thanks,
Sasha
