Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 22 May 2017 18:53:42 -0600
From: Kurt Seifried <>
Subject: Re: How to request a CVE for open source projects

On 2017-05-22 5:44 PM, Kurt H Maier wrote:
> On Mon, May 22, 2017 at 03:13:42PM -0600, Kurt Seifried wrote:
>> Well actually they can. Why do you think we (DWF) have an extensible Json format with the data hosted in git? Hint: so people can contribute.
> Is it the opaque Google Docs form that fosters contribution, or the
> gatekept pull-request process requiring a Github account that fosters
> contribution?
Neither, that's part of what I'm figuring out. Most likely it'll look
like a trusted pool of people (aka CVE Mentors) that can either
contribute or more easily gatekeep). Also the doc are out of date and
the process is evolving rapidly so I haven't really bothered updating
them since things keep changing.

> At what point in the DWF process is third-party input expected to occur?

Good question. What exactly is it you want to input? CVE requests? CVE
assignments? Modify existing CVE entries?
> The matter is not addressed in the documentation repository.  Feel free 
> to mail me offlist if the answers would induce excessive cognitive 
> dissonance.
Not really. the docs are out of date and I'm more concerned about
evolving this right now then updating documentation.

> khm

Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact:

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ