Date: Mon, 22 May 2017 18:53:42 -0600 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com Subject: Re: How to request a CVE for open source projects On 2017-05-22 5:44 PM, Kurt H Maier wrote: > On Mon, May 22, 2017 at 03:13:42PM -0600, Kurt Seifried wrote: >> Well actually they can. Why do you think we (DWF) have an extensible Json format with the data hosted in git? Hint: so people can contribute. > Is it the opaque Google Docs form that fosters contribution, or the > gatekept pull-request process requiring a Github account that fosters > contribution? Neither, that's part of what I'm figuring out. Most likely it'll look like a trusted pool of people (aka CVE Mentors) that can either contribute or more easily gatekeep). Also the doc are out of date and the process is evolving rapidly so I haven't really bothered updating them since things keep changing. > At what point in the DWF process is third-party input expected to occur? Good question. What exactly is it you want to input? CVE requests? CVE assignments? Modify existing CVE entries? > The matter is not addressed in the documentation repository. Feel free > to mail me offlist if the answers would induce excessive cognitive > dissonance. Not really. the docs are out of date and I'm more concerned about evolving this right now then updating documentation. > > khm -- Kurt Seifried -- Red Hat -- Product Security -- Cloud PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 Red Hat Product Security contact: secalert@...hat.com
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ