Re: Becoming a CVE Naming Authority for your project

[Peter Gutmann <pgut001 () cs auckland ac nz>]

Olle E. Johansson <oej () edvina net> writes:

> I think there are very few one person projects that have knowledge, time and
> resources to operate a CNA.

This isn't one person trying to run a CNA for something like Apache, it's one
person running a CNA for Bob's Text Editor, which gets seven proposed CVEs a
year of which six are AI slop and the seventh is an airtight-hatchway
"vulnerability".  It's a means of dealing with AI slop and bogus CVEs for
small projects as per a much earlier portion of the discussion.

Just for reference the response I got at the time, triggered by some random
CNA issuing a bogus CVE that I didn't find out about until weeks later, was:

  Unfortunately, Individuals are not eligible to become a CNA.

  If your project is hosted on GitHub, consider using the GitHub CNA.

So that would in theory be one way to do it, but since its main purpose is
dealing with a flood of AI slop I'm not sure that moving to having the GitHub
CNA flooded with it is the right way to do it.  The goalposts have shifted a
lot since the CNA model was originally set up, for many projects the main
issue is dealing with AI slop, not dealing with vulns.

Peter.