Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <2e1870e5-5a5b-4db5-84f5-e4a3f728db61@gmail.com>
Date: Wed, 5 Nov 2025 07:56:00 -0800
From: Matthew Fernandez <matthew.fernandez@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: Becoming a CVE Naming Authority for your project



On 11/5/25 04:30, Peter Gutmann wrote:
> Greg KH <greg@...ah.com> writes:
> 
>> I totally agree that all "major" open source projects should become a CNA,
>> and strongly recommend taking back control over stuff like this.
> 
> The problem is that individuals can't be CNAs…

Another problem for projects with few maintainers and resources is that 
it’s lower effort to dispute incorrect CVEs than register as a CNA, at 
least while CVE volume is low. This is obviously a worse outcome for 
downstream users who may have already started processing and dealing 
with the false CVE. I’m not saying this is a good approach, but just 
noting this is the way incentives are currently (mis)aligned.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.