oss-sec mailing list archives

Re: Becoming a CVE Naming Authority for your project

From: Yogesh Mittal <ymittal () redhat com>
Date: Wed, 5 Nov 2025 18:46:52 +0530

That's exactly right, Greg. If by 'smaller' OSS projects you mean those
that are resource-constrained, Red Hat is here to help! As a Root in the
CVE Program, we both onboard new OSS projects to become independent CNAs
and use our CNA-LR function to fully support those smaller projects (providing
ID assignment, publishing, and general program support). Any
resource-constrained project can reach out to our team by emailing us at
cnalr-coordination () redhat com

Thanks and regards,

Yogesh Mittal

Manager, Product Security Vulnerability Management

Red Hat Pune <https://www.redhat.com/>

ymittal () redhat com
M: +91-9637123455


<https://www.redhat.com/>


On Wed, Nov 5, 2025 at 4:54 AM Greg KH <greg () kroah com> wrote:

On Tue, Nov 04, 2025 at 08:47:35AM -0300, Rodrigo Freire wrote:

Open Source Project Maintainers,

Managing security vulnerabilities is currently a significant pain,
especially with the recent increase in dubious CVE reports due to AI
assistants. The discussion around questionable CVEs reported against
projects like dnsmasq, curl highlights a growing concern within the
open source community.

One effective way to combat the influx of bogus CVEs and ensure
accurate vulnerability reporting is for open source projects to become
their own CVE Numbering Authority (CNA). As a CNA, your project gains
control over the CVE assignment process.

Taking ownership of your project's as a CNA ensures that you are in
control of the CVE assignment. There will be some requirements to it,
sure thing. Check

https://openssf.org/blog/2023/11/27/openssf-introduces-guide-to-becoming-a-cve-numbering-authority-as-an-open-source-project/

I totally agree that all "major" open source projects should become a
CNA, and strongly recommend taking back control over stuff like this.

But, for "smaller" open source projects, it would be _great_ if a root
CNA could become the default for all of open source so that we don't
have the problem where any CNA can assign CVEs against any random
software without any repercussions.

thanks,

greg k-h

Current thread:

Becoming a CVE Naming Authority for your project Rodrigo Freire (Nov 04)
- Re: Becoming a CVE Naming Authority for your project Greg KH (Nov 04)
  - Re: Becoming a CVE Naming Authority for your project Olle E. Johansson (Nov 05)
    - Re: Becoming a CVE Naming Authority for your project Pedro Sampaio (Nov 05)
  - Re: Becoming a CVE Naming Authority for your project Peter Gutmann (Nov 05)
    - Re: Becoming a CVE Naming Authority for your project Matthew Fernandez (Nov 05)
    - Re: Becoming a CVE Naming Authority for your project Art Manion (Nov 05)
    - Re: Becoming a CVE Naming Authority for your project Pedro Sampaio (Nov 05)
    - Re: Becoming a CVE Naming Authority for your project Olle E. Johansson (Nov 06)
    - Re: Becoming a CVE Naming Authority for your project Peter Gutmann (Nov 07)
  - Re: Becoming a CVE Naming Authority for your project Yogesh Mittal (Nov 05)
- Re: Becoming a CVE Naming Authority for your project Pat Gunn (Nov 06)
  - Re: Becoming a CVE Naming Authority for your project Jeremy Stanley (Nov 06)