oss-sec mailing list archives

Re: Becoming a CVE Naming Authority for your project

From: Matthew Fernandez <matthew.fernandez () gmail com>
Date: Wed, 5 Nov 2025 07:56:00 -0800



On 11/5/25 04:30, Peter Gutmann wrote:

Greg KH <greg () kroah com> writes:

I totally agree that all "major" open source projects should become a CNA,
and strongly recommend taking back control over stuff like this.


The problem is that individuals can't be CNAs…

Another problem for projects with few maintainers and resources is thatit’s lower effort to dispute incorrect CVEs than register as a CNA, atleast while CVE volume is low. This is obviously a worse outcome fordownstream users who may have already started processing and dealingwith the false CVE. I’m not saying this is a good approach, but justnoting this is the way incentives are currently (mis)aligned.

Current thread:

Becoming a CVE Naming Authority for your project Rodrigo Freire (Nov 04)
- Re: Becoming a CVE Naming Authority for your project Greg KH (Nov 04)
  - Re: Becoming a CVE Naming Authority for your project Olle E. Johansson (Nov 05)
    - Re: Becoming a CVE Naming Authority for your project Pedro Sampaio (Nov 05)
  - Re: Becoming a CVE Naming Authority for your project Peter Gutmann (Nov 05)
    - Re: Becoming a CVE Naming Authority for your project Matthew Fernandez (Nov 05)
    - Re: Becoming a CVE Naming Authority for your project Art Manion (Nov 05)
    - Re: Becoming a CVE Naming Authority for your project Pedro Sampaio (Nov 05)
    - Re: Becoming a CVE Naming Authority for your project Olle E. Johansson (Nov 06)
    - Re: Becoming a CVE Naming Authority for your project Peter Gutmann (Nov 07)
  - Re: Becoming a CVE Naming Authority for your project Yogesh Mittal (Nov 05)
- Re: Becoming a CVE Naming Authority for your project Pat Gunn (Nov 06)
  - Re: Becoming a CVE Naming Authority for your project Jeremy Stanley (Nov 06)