Hi! I've been complaining in the past about the way PHP CVE are handled - they are sometimes issued with no coordination with anybody from PHP developers, sometimes contain misleading and outright wrong information and sometimes disregard our guidelines for security issues (https://wiki.php.net/security). Fortunately, it looks like now there is a way to properly fix it.
In order to do that, I've decided to apply for CNA for PHP project - see more on CNAs here: https://cve.mitre.org/cve/request_id.html - which would make PHP developers the official authority for issuing CVEs for PHP. In order to do that, we would need one or more people to be set up as CVE mentors, as described here: https://github.com/distributedweaknessfiling/DWF-CVE-Mentor-Registry/blob/master/README.md I plan to register myself as one, but if anyone wants to volunteer please step up. I have already contacted Kurt Seifried about it, and got initial instructions (which are pretty much starting with filling the mentorship forms) and would like to continue the setup, but if somebody wants to join in helping things please tell me. Also please tell me if you have any concerns or comments about this. Thanks, -- Stas Malyshev smalys...@gmail.com -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
